Updated - Nssm224 Privilege Escalation

When NSSM 2.24 installs a service pointing to a path containing spaces (e.g., C:\Program Files\MyApp\run.bat) without quotes, Windows parses the path ambiguously.

Example of vulnerable installation:

nssm install MyService C:\Program Files\MyApp\run.bat

If the service runs as SYSTEM, an attacker with write access to C:\ or C:\Program Files\ can place a malicious Program.exe or Files.exe. When the service starts, the attacker’s binary executes with SYSTEM rights. nssm224 privilege escalation updated

If you are an authorized penetration tester:

Example silent install (red team):

nssm install UpdaterService "%temp%\update.exe" --silent
nssm set UpdaterService AppParameters "/c whoami > C:\ProgramData\out.txt"
nssm start UpdaterService

---

NSSM 224 is not inherently vulnerable, but common deployment patterns create local privilege escalation paths. Sysadmins must check service and registry permissions when using any service wrapper.

---

Legacy versions of NSSM (pre-2.24) had issues with predictable temporary files. While patched in later 2.24 sub-releases, some enterprise environments still run outdated builds that allow race condition attacks. When NSSM 2

---

---

⚠️ NSSM is not inherently vulnerable; the risk lies in improperly secured services installed by NSSM. Always review service permission assignments.

---

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

This rule blocks “Process creations from PSExec and WMI commands” – also catches NSSM-based service tampering in some builds. If the service runs as SYSTEM, an attacker