Real-world breach reports (e.g., from Red Canary & Mandiant 2024) show that attackers still use NSSM-based persistence to elevate from IIS APPPOOL or LOCAL SERVICE to SYSTEM .
The Non-Sucking Service Manager (NSSM) is a popular open-source utility used to run command-line applications as Windows services. Despite its utility, specific misconfigurations and legacy versions have exposed systems to local privilege escalation (LPE) vulnerabilities. This analysis covers the mechanics of the NSSM privilege escalation vector, why it remains a critical focus for security teams, and how to secure your environment against it. Understanding the Vulnerability
When Windows attempts to start a service, it parses the binary path in the registry. If a path contains spaces and lacks quotes, Windows interprets the spaces as command-line arguments rather than part of the path.
NSSM services frequently run under the highest local privileges ( SYSTEM ). nssm224 privilege escalation updated
and Modify permissions must be restricted strictly to Administrators and SYSTEM . Use the following command to remediate weak permissions:
The configuration registry keys located under HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters .
: Always install NSSM and the applications it manages in C:\Program Files\ or other directories with strict Access Control Lists (ACLs). Real-world breach reports (e
A patch has been released for nssm version 224, which addresses this vulnerability. The patch:
Windows services often serve as a golden ticket for penetration testers and red teamers looking to elevate privileges from a low-privileged user to NT AUTHORITY\SYSTEM . Among the tools used to manage these services, the Non-Sucking Service Manager (NSSM) is incredibly popular. While NSSM itself is not inherently malicious, improper deployment configurations frequently introduce critical vulnerabilities.
The nssm (Non-Sucking Service Manager) is a service manager for Windows that allows users to manage and monitor system services. Version 224 of nssm has been identified as vulnerable to a privilege escalation attack. This report summarizes the findings and provides recommendations for mitigation. This analysis covers the mechanics of the NSSM
: Version 2.24 has known bugs, including potential crash loops when run without administrator rights . Pre-release versions like 2.25 address several stability and privilege handling issues .
While NSSM 2.24 is an effective tool, its default configurations can be dangerous. As of 2026, the risk of privilege escalation through unquoted service paths and weak registry permissions remains high. By applying strict file permissions, validating service paths, and monitoring for changes, administrators can continue to use NSSM securely.
In late 2025 and early 2026, researchers identified that multiple enterprise products—including Phoenix Contact Device and Update Management and Wowza Streaming Engine—were vulnerable to this exact pattern.
Or look for services where ServiceDll or Application points to nssm.exe .
Do you have access right now?