Run PowerShell to audit services installed by NSSM:
Get-WmiObject Win32_Service | Where-Object $_.PathName -like "*nssm*" | ForEach-Object
sc.exe sdshow $_.Name
Look for (A;;RPWPCCDCLCSWRCWDWOGA;;;AU) – that grants Authenticated Users change config rights. Remove with:
sc sdset MyService D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
If you discover nssm-2.24.exe in a temp folder or a directory that is not your standard software deployment: nssm-2.24 exploit
No. There is no known remote code execution (RCE) exploit affecting NSSM 2.24. NSSM does not listen on any network port. Any remote exploitation would require the attacker to already have local code execution (e.g., via phishing or drive-by download) to then abuse NSSM for persistence or privilege escalation.
NSSM is widely used for managing services on Windows systems due to its flexibility and compatibility with a wide range of executables. The vulnerability in version 2.24 poses a significant risk to systems where NSSM is used for service management. Run PowerShell to audit services installed by NSSM:
Common reasons include:
DLL hijacking – Old versions of NSSM might load DLLs from unsecured paths (e.g., current working directory). If an attacker can plant a malicious DLL there, and a privileged process runs NSSM, they could achieve code execution. This is a potential local privilege escalation vector if a service starts NSSM from a user-writable directory. If you discover nssm-2
Unquoted service path vulnerability – NSSM installs services. If an admin uses NSSM to install a service with an unquoted path containing spaces and doesn’t set proper ACLs, standard Windows unquoted service path issues apply — but that’s not NSSM’s flaw.
NSSM is designed to be a more flexible and robust alternative to the built-in Windows service manager. It supports a wide range of features, including service monitoring, restarting, and configuration through a simple command-line interface.