Nssm-2.24 Privilege Escalation -

From Service Manager to SYSTEM: Abusing NSSM 2.24 for Privilege Escalation

Restrict write access to the service parameters registry key for non-admin users:

A tester first identifies services running with NSSM. This is often done by checking the service list or searching for the nssm.exe binary. Command: tasklist /svc or Get-Service 2. Checking Permissions nssm-2.24 privilege escalation

.\nssm.exe install ElevationTest cmd.exe

There are two primary vectors through which an attacker uses NSSM to escalate privileges: 1. Insecure File and Folder Permissions (Weak ACLs) From Service Manager to SYSTEM: Abusing NSSM 2

In a locked-down environment, the user cannot start the service themselves. However, an attacker can simply wait for the server to reboot (or trigger a crash/reboot via another vector), at which point the service starts automatically.

According to the official NVD Advisory for CVE-2025-41686, the exploitation mechanics are structured as follows: Checking Permissions

: Vulnerable to LPE because standard users could substitute the service binary. Apache CouchDB

To secure systems running NSSM 2.24 against this vulnerability, administrators should implement the following measures: