accesschk.exe -kvuq "HKLM\SYSTEM\CurrentControlSet\Services\YourNssmService" Use code with caution.
Run icacls "C:\Path\To\nssm.exe" /grant "Administrators:F" /inheritance:r to set restrictive permissions. 2. Quote Service Paths Check all services for missing quotes in the image path. Action: Use PowerShell to identify risks: powershell
The German CERT@VDE advisory identified that Phoenix Contact’s DaUM product, used for industrial device management, suffers from exactly this misconfiguration. The product installer sets insecure permissions on nssm.exe , allowing a low‑privileged local user to execute arbitrary code with administrative privileges. All versions of DaUM prior to 2025.3.1 are affected, with the fix requiring an update to the latest release.
To help tailor this analysis to your needs, let me know if you would like me to provide , analyze a particular vendor's patch , or outline a SIEM hunting query for your SOC team. Share public link nssm224 privilege escalation updated
The configuration registry keys located under HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters .
Compare the configuration differences between . Let me know how you'd like to proceed! AI responses may include mistakes. Learn more CVE-2016-20033 Detail - NVD
What (like Defender or an EDR) is active? accesschk
NSSM reads its configuration from the Windows Registry. Specifically, it looks at the Application string value inside the service's Parameters subkey to know what file to execute. If a low-privileged user has write access to this registry key, they can change the path to point to a malicious executable (like C:\Windows\System32\cmd.exe or a custom payload), bypassing any strict permissions on the original application folder. Step-by-Step Exploitation Walkthrough Step 1: Enumeration and Identification
If standard users have Write permissions to the folder containing the nssm.exe binary, they can replace it.
Q: What is the NSSM224 privilege escalation vulnerability? A: The NSSM224 privilege escalation vulnerability is a security flaw that allows an attacker to escalate their privileges on a system running NSSM224. Quote Service Paths Check all services for missing
: Version 2.24 has known bugs, including potential crash loops when run without administrator rights . Pre-release versions like 2.25 address several stability and privilege handling issues .
For penetration testers: Always check for NSSM 2.24. For defenders: Treat any instance of NSSM as a potential backdoor unless its entire folder structure and registry keys are locked down tighter than a standard Windows service.
NSSM 224 is not inherently vulnerable, but common deployment patterns create local privilege escalation paths. Sysadmins must check service and registry permissions when using any service wrapper.
Once a target service (e.g., NSSM224_Service ) is identified, the attacker inspects its binary path permissions using icacls : icacls "C:\Program Files\CustomApp\service_wrapped.exe" Use code with caution.