Nssm-2.24 Privilege Escalation Portable (2025)

– Migrate to Microsoft’s native sc.exe or New-Service PowerShell cmdlet, or use WinSW (Windows Service Wrapper) which supports better security configuration.

# Copy the vulnerable binary to a writable location copy "%ProgramFiles%\NSSM\nssm-2.24.exe" .\nssm.exe

Implement Windows Defender Application Control (WDAC) or AppLocker to restrict execution of binaries to only those that are signed and trusted. This can prevent execution of malicious binaries even if replacement occurs. nssm-2.24 privilege escalation

The vulnerability arises from the fact that the nssm.exe binary does not have its file permissions secured properly. Under normal Windows security models, system files should be immutable to regular users. However, with vulnerable configurations, a low-privileged local user can overwrite or modify the nssm.exe binary. Once the attacker has tampered with the binary, they can wait for the NSSM service to restart. When the system executes the service again, it will run the attacker’s malicious executable, but crucially, it will do so under the high-privileged SYSTEM account or an administrative account. This allows the attacker to completely compromise the system.

CVE-2024-51448 documents this exact behavior in IBM Robotic Process Automation. All files in the install inherited the file permissions of the parent directory, allowing a non-privileged user to substitute any executable for the nssm.exe service. A subsequent service restart would then execute the attacker's binary with administrator privileges, granting immediate escalation. – Migrate to Microsoft’s native sc

The attacker runs:

Privilege escalation occurs when a standard user can trick a high-privileged process (the NSSM service) into running a malicious file. 1. Identification The vulnerability arises from the fact that the nssm

IBM Robotic Process Automation versions 21.0.0 through 21.0.7.17 and 23.0.0 through 23.0.18 could allow a local user to escalate their privileges. All files in the installation inherit file permissions from the parent directory, enabling a non-privileged user to substitute any executable for the nssm.exe service.

Attackers generally look for three distinct misconfigurations when they find an active nssm.exe deployment on a target machine: 1. Insecure File and Folder Permissions (Weak ACLs)

In multi-tenant environments (VDI, Citrix, shared kiosks), a low-privilege user who finds NSSM 2.24 installed on the base image can escalate to SYSTEM and escape their session container.

Allies:

Intel:

1976-2025 All rights reserved. THE ROCK FATHER™, THE ROCK FATHER™ Magazine, The Rock Daughters™, Rock Father Rides™, Chicago Toy Authority™, and Holiday Wish Guide™ are trademarks and may not be used without permission. THE ROCK FATHER Magazine is a participant in the Amazon Services, LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com. THE ROCK FATHER Magazine is an editorial publication that occasionally receives free samples from select companies, but all editorial opinions are its own. THE ROCK FATHER also accepts consideration from select companies for features that are clearly marked as sponsored content.