Nssm-2.24 Privilege Escalation __link__ -

The vulnerability in NSSM 2.24 subverts this logic not by breaking the Windows security model, but by mishandling how the service binary executes after installation.

+---------------------------+ | Windows SCM | | (Runs as NT AUTHORITY) | +-------------+-------------+ | v Launches +---------------------------+ | nssm.exe (v2.24) | <-- Targeted for Insecure Permissions or Paths +-------------+-------------+ | v Monitors & Runs +---------------------------+ | Target Application/Script | +---------------------------+

CVE-2025-41686 Severity: High (CVSS: 7.8) Attack Vector: Local (AV:L) Privileges Required: Low (PR:L) Impact: System Compromise, Administrative Access

When a standard user is tricked or coerced into running NSSM 2.24 (perhaps via a phishing attack or a malicious script on a shared terminal server), the tool does not properly validate the executable path and arguments before the service starts.

An authenticated, low-privileged user can achieve full SYSTEM privileges on the affected host. This compromises integrity, confidentiality, and availability.

Once the path to NSSM is located, the attacker checks the permissions of that directory using icacls : icacls "C:\Program Files\vulnerable_service_folder" Use code with caution.

accesschk.exe -accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService"

If an attacker can write to C:\ or C:\Program Files\ , they can place a malicious Program.exe or My.exe . When the service restarts—typically on system reboot or a manual restart—the service runs the malicious code instead of the legitimate nssm.exe. B. Insecure Service Executable

The service is configured to run an executable located in a folder where a low-privileged user has "Write" or "Modify" permissions.

Understanding and Mitigating NSSM 2.24 Privilege Escalation Vulnerabilities

The vulnerability in NSSM 2.24 subverts this logic not by breaking the Windows security model, but by mishandling how the service binary executes after installation.

+---------------------------+ | Windows SCM | | (Runs as NT AUTHORITY) | +-------------+-------------+ | v Launches +---------------------------+ | nssm.exe (v2.24) | <-- Targeted for Insecure Permissions or Paths +-------------+-------------+ | v Monitors & Runs +---------------------------+ | Target Application/Script | +---------------------------+

CVE-2025-41686 Severity: High (CVSS: 7.8) Attack Vector: Local (AV:L) Privileges Required: Low (PR:L) Impact: System Compromise, Administrative Access

When a standard user is tricked or coerced into running NSSM 2.24 (perhaps via a phishing attack or a malicious script on a shared terminal server), the tool does not properly validate the executable path and arguments before the service starts.

An authenticated, low-privileged user can achieve full SYSTEM privileges on the affected host. This compromises integrity, confidentiality, and availability.

Once the path to NSSM is located, the attacker checks the permissions of that directory using icacls : icacls "C:\Program Files\vulnerable_service_folder" Use code with caution.

accesschk.exe -accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService"

If an attacker can write to C:\ or C:\Program Files\ , they can place a malicious Program.exe or My.exe . When the service restarts—typically on system reboot or a manual restart—the service runs the malicious code instead of the legitimate nssm.exe. B. Insecure Service Executable

The service is configured to run an executable located in a folder where a low-privileged user has "Write" or "Modify" permissions.

Understanding and Mitigating NSSM 2.24 Privilege Escalation Vulnerabilities