Escalation Updated: Nssm224 Privilege

Use explicit Access Control Lists (ACLs) to block write access for standard user groups. 3. Implement Proper Quotation Marks

The core issue is not a bug in NSSM—it is a design feature of the Windows SCM. As long as a non-admin user has SERVICE_CHANGE_CONFIG on a service that runs as SYSTEM , that user can escalate privileges. Microsoft cannot “patch” this without breaking legitimate service management tools.

wmic service get name,displayname,pathname,startmode | findstr /i "nssm" Use code with caution. nssm224 privilege escalation updated

Avoid running NSSM services under the LocalSystem ( NT AUTHORITY\SYSTEM ) account unless absolutely necessary. Instead:

The vulnerability, tracked as CVE-2019-1253, is related to the way NSSM handles service configuration files. Specifically, the vulnerability occurs when NSSM reads configuration files from a directory that is not properly secured, allowing an attacker to inject malicious configuration data. Use explicit Access Control Lists (ACLs) to block

If the output reveals that the Authenticated Users or Everyone group has WriteDacl or SetValue permissions, the service is vulnerable. 2. Registry Modification

Modern EDR tools should be configured to flag suspicious child processes generated by nssm.exe . For example, nssm.exe spawning cmd.exe , powershell.exe , or unknown binaries out of temporary directories ( C:\Windows\Temp or C:\Users\...\AppData ) should trigger immediate alerts and automated containment blocks. As long as a non-admin user has SERVICE_CHANGE_CONFIG

is an open-source tool widely used to wrap executables as Windows services. While the core tool has been stable for years, it has recently been identified as a critical vector for Local Privilege Escalation (LPE)

, an attacker with sufficient local rights can redirect a service to execute their own scripts or payloads instead of the intended application. Interactive Shell Creation: A common technique involves setting a service type to SERVICE_INTERACTIVE_PROCESS nssm set Type SERVICE_INTERACTIVE_PROCESS . If the service runs as LocalSystem