Nssm-2.24 Privilege Escalation Fix 【2024】

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ImagePath" | findstr /i "nssm"

If you are running NSSM, understanding how an attacker can move from a low-privilege user to SYSTEM is critical for securing your infrastructure. What is NSSM?

: Ensure that only administrators have "Write" or "Modify" permissions on the directory where nssm.exe is located and the Registry keys associated with the service. nssm-2.24 privilege escalation

Check the permissions on the registry keys where NSSM stores its parameters. Ensure that standard users cannot modify keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ . 3. Use Service Accounts

The is a popular, lightweight tool used to turn Windows applications, scripts, and batches into managed services. By managing the service lifecycle, it ensures applications restart automatically if they crash. However, older versions, specifically NSSM 2.24 , have been associated with a critical vulnerability— Local Privilege Escalation (LPE) —that can allow a low-privileged user to gain NT AUTHORITY\SYSTEM rights. Check the permissions on the registry keys where

The payload runs as SYSTEM . The attacker now has a high-integrity shell, can dump LSASS for credentials, move laterally, or disable security tools.

Privilege escalation occurs when a standard user can trick a high-privileged process (the NSSM service) into running a malicious file. 1. Identification Use Service Accounts The is a popular, lightweight

NSSM is convenient but dangerous if misconfigured. Always assume that a service running as SYSTEM with writable configuration is a . Audit your endpoints, and don’t let convenience override security.

# Copy the vulnerable binary to a writable location copy "%ProgramFiles%\NSSM\nssm-2.24.exe" .\nssm.exe

To help tailor these security steps, please share a few details about your environment:

When the service restarts (either via a system reboot or if the user has permissions to restart the service), NT AUTHORITY\SYSTEM executes the malicious binary, granting the attacker full control over the machine. 2. Insecure Registry Permissions