Ensure that only administrators and the system account have write access to service registry keys. Low-privilege users should only have read access.
If the low-privileged user has permissions to restart the service, they execute: sc stop BackupApp sc start BackupApp Use code with caution.
A closely related vulnerability, , was disclosed in IBM’s Robotic Process Automation (RPA) product. IBM RPA versions 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 allow a local user to escalate privileges because “all files in the install inherit the file permissions of the parent directory and therefore a non‑privileged user can substitute any executable for the nssm.exe service.” This highlights how the same underlying weakness can reappear in different software packages that embed NSSM.
To trigger the execution, the service must be restarted. If the low-privilege user has permissions to restart the service, they can execute: net stop ExampleService && net start ExampleService Use code with caution. nssm224 privilege escalation updated
Since its creation, NSSM has been embedded in countless enterprise products and open‑source projects, including database management systems, automation platforms, and monitoring tools. Its widespread adoption makes any security flaw in NSSM particularly impactful, as it can cascade across numerous third‑party applications that depend on it.
– NSSM is bundled with dozens of third‑party applications. Even if an organization does not install NSSM directly, they may be vulnerable through other products that silently include it.
| Product / Vendor | Affected Versions | Impact | |----------------|------------------|--------| | | Versions prior to 2025.3.1 | Privilege escalation via nssm.exe in the DAUM-WINDOWS-SERVICE | | IBM Robotic Process Automation | 21.0.0–21.0.7.17 and 23.0.0–23.0.18 | All files inherit parent directory permissions, allowing non‑privileged users to substitute any executable for nssm.exe | | Wowza Streaming Engine | Version 4.5.0 | nssm_x64.exe accessible to the Everyone group with full permissions; malicious replacement executes with LocalSystem privileges | | Apache CouchDB | Version 2.0.0 | nssm.exe (CouchDB service) can be replaced by a standard user; service runs as LocalSystem | Ensure that only administrators and the system account
Run the following check in an elevated PowerShell console:
sc config ExampleService binpath= "\"C:\Program Files\NSSM\nssm.exe\" ExampleService" Use code with caution. 4. Modern Alternatives and Updates
Compare the configuration differences between . Let me know how you'd like to proceed! AI responses may include mistakes. Learn more CVE-2016-20033 Detail - NVD A closely related vulnerability, , was disclosed in
Monitor for ParentImage matching known NSSM paths where the CommandLine contains account manipulation commands ( net user , net localgroup ). Registry Auditing
– The vulnerable service (e.g., Apache CouchDB, IBM Robotic Process Automation, DaUM) either stops unexpectedly, is stopped by the attacker, or the system reboots. When the service attempts to start again, Windows launches the malicious file with the service’s elevated privileges – typically SYSTEM or Administrator rights.
NSSM 2.24 Privilege Escalation Updated: Analyzing and Securing Unquoted Service Paths