Nssm-2.24 Exploit Upd Jun 2026

nssm install ElevateService cmd.exe /c "net user hacker P@ssw0rd /add && net localgroup administrators hacker /add" nssm start ElevateService

Tools like AccessChk (Sysinternals) are often used to audit services installed by NSSM 2.24 to find these permission misconfigurations.

The most common "exploit" involving NSSM is not a flaw in the binary, but a flaw in the permissions of the service created by the administrator. nssm-2.24 exploit

For a secure, defensive article on this topic, I’d be glad to write about detection, hardening, or responsible disclosure. Let me know how I can help appropriately.

In a vulnerable installation, if NSSM is used to create a service pointing to, for example, C:\Program Files\SomeApp\app.exe , the unquoted path allows Windows to also try C:\Program.exe , C:\Program Files\Some.exe , etc. An attacker with write access to C:\ or C:\Program Files\ could plant a malicious executable to be executed as SYSTEM. nssm install ElevateService cmd

NSSM (Non-Sucking Service Manager) is an open-source tool that allows users to run any conventional executable (.exe, .bat, .cmd, or even scripts) as a Windows service. Unlike Microsoft’s native sc create or instsrv , NSSM provides:

As of the writing of this article, there are no widely known, high-severity remote vulnerabilities (CVEs) specifically targeting the NSSM 2.24 binary itself that allow an attacker to compromise a machine remotely simply because NSSM is installed. However, version 2.24 sits in a timeline where older, less secure defaults were being updated, but the primary risks stem from how the software is configured. Let me know how I can help appropriately

NSSM creates a standard Windows service. If the Access Control List (ACL) on that service is weak—for example, if the group Authenticated Users has SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG rights—a low-privileged attacker can reconfigure the service.