This article dissects what this exploit actually is—since no official CVE (Common Vulnerabilities and Exposure) is directly tied to NSSM 2.24—how attackers abuse legitimate features of NSSM, and why security teams must treat this tool as a potential attack vector. NSSM (Non-Sucking Service Manager) is an open-source utility that allows users to run any executable as a Windows service. Unlike sc create or instsrv , NSSM automatically handles restart policies, logging, and process monitoring. Version 2.24 is the last stable release before the beta 2.25 (2016) and the current 2.25-101 (2024).
<EventID>1</EventID> <Data name="Image" condition="end with">nssm.exe</Data> <Data name="CommandLine" condition="contains">install</Data> Run PowerShell to audit services installed by NSSM: nssm-2.24 exploit
NSSM 2.24 does automatically quote the binary path. It is the administrator’s responsibility to use quotes: This article dissects what this exploit actually is—since
Look for (A;;RPWPCCDCLCSWRCWDWOGA;;;AU) – that grants Authenticated Users change config rights. Remove with: Version 2
—it is a configuration weakness inherited from Windows service security models. Any service installer (sc, PowerShell) faces the same risk. Claim 2: DLL Hijacking in NSSM 2.24 Reality: Older versions of NSSM (pre-2.24) had a potential DLL search-order hijacking issue. When NSSM starts, it loads certain system DLLs. If an attacker places a malicious version.dll or winmm.dll in the same directory as nssm.exe and a privileged user runs NSSM, code execution could occur.
nssm install MyService C:\tools\legacy_app.exe If the admin does not explicitly set nssm set MyService ObjectName NT AUTHORITY\LocalService , the service runs as LocalSystem (high privilege). An attacker with SERVICE_CHANGE_CONFIG access (sometimes granted to Users group on misconfigured systems) can change the binary path to cmd.exe /c net user hacker P@ssw0rd /add .
Introduction In the world of Windows system administration, NSSM (Non-Sucking Service Manager) has long been a trusted, lightweight utility. Version 2.24 (released circa 2014-2015) is particularly widespread in legacy environments, DevOps pipelines, and game server hosting. However, a persistent whisper in dark web forums and Reddit threat hunting threads has gained traction: the "nssm-2.24 exploit" .