A service is created using NSSM to run under the LocalSystem account.
The privilege escalation vulnerability in NSSM-2.24 arises from improper handling of service configurations and interactions with the Windows operating system. Specifically, the vulnerability allows an attacker to exploit the service manager's functionality to gain elevated privileges on the system.
C:\ProgramData\... or C:\Program Files\... with weak permissions Full system takeover (Vertical Privilege Escalation) Detection EDR alerts for nssm.exe in unusual paths like \Windows\tmp\ Prevention & Mitigation nssm-2.24 privilege escalation
As defenders, we must treat every binary on our systems—especially those capable of managing services—as a potential threat vector. The presence of NSSM 2.24 on a machine should be considered a critical finding, equivalent to an unpatched local exploit.
: An attacker could exploit this vulnerability by creating or modifying a service configuration in a way that NSSM would execute a command or load a DLL with elevated privileges. This could be achieved through specially crafted service definitions that are then processed by NSSM. A service is created using NSSM to run
The Non-Sucking Service Manager (NSSM) is a popular, open-source utility used by system administrators to run command-line applications as Windows services. While it simplifies background process management, older versions contain critical vulnerabilities. Specifically, issues surrounding NSSM version 2.24 frequently expose systems to privilege escalation attacks.
Look for:
Avoid running services under the LocalSystem account whenever possible. Configure services to run under dedicated low-privilege service accounts with only the minimum permissions necessary for the application to function.