to scan for unquoted service paths.
: Vulnerable to LPE because standard users could substitute the service binary. Apache CouchDB
Version 2.24, released back in August 2014, is still regarded as the "latest stable version" on the official website and remains in active use across countless systems. Organizations that adopted NSSM early on have built entire automation pipelines around it. Its popularity has led to it being bundled into complex software suites, such as Phoenix Contact’s Device and Update Management, IBM Robotic Process Automation, and Wowza Streaming Engine, all of which inherit any security flaws present in NSSM.
Ensure that the directory containing nssm.exe and the application binaries it manages are only writable by Administrators ( System or Administrators group). Low-privileged users should have only Read & Execute permissions. nssm-2.24 privilege escalation
icacls "C:\Path\To\nssm.exe" /grant "SYSTEM:(F)" icacls "C:\Path\To\nssm.exe" /grant "Administrators:(F)"
If you are in charge of systems that use nssm, it is highly recommended to check for version 2.24 and upgrade to the latest 2.25 pre-release nssm.cc/download immediately. Proactive Security Measures If you'd like, I can:
Since NSSM is designed to restart the service if it fails, the attacker can either wait for a system reboot or manually crash the service if they have the rights. Once NSSM restarts the "service," it executes the attacker's payload with SYSTEM privileges. Remediation and Best Practices to scan for unquoted service paths
This feature focuses on mitigating the primary way attackers exploit NSSM: replacing the nssm.exe binary or its associated application executable due to insecure file permissions. Key Components of the "Secure Lockdown" Feature
It creates a service with the following security descriptor (by default):
Limitations and real-world constraints
In the world of Windows system administration, the is a beloved tool. It allows users to wrap any executable into a Windows service, ensuring applications restart automatically after crashes or reboots. However, security researchers have identified specific configurations and vulnerabilities within certain versions—most notably discussed around version 2.24—that can lead to Privilege Escalation (LPE) .
This exact scenario has been identified in multiple enterprise tools that bundle NSSM. IBM documented this issue in their Robotic Process Automation (RPA) software (APAR JR64937), where the IBMRPALicenseMetricService had an unquoted path containing spaces. IBM acknowledged that this allowed local privilege escalation and released a fix to add quotes around the service path. Odoo 12.0 and ExpressVPN similarly had documented unquoted service path vulnerabilities involving nssm.exe .
When administrators want a standard script, Java application, or Node.js program to run continuously in the background on startup, they often turn to NSSM. Organizations that adopted NSSM early on have built
Multiple privilege escalation vulnerabilities (tracked as VDE-2025-063 and VDE-2025-059) exist in Phoenix Contact Device and Update Management (DaUM) versions prior to 2025.3.1 due to . The weakness is classified under CWE-306 — Missing Authentication for Critical Function , as the product does not perform any authentication for functionality that requires a provable user identity.
Understanding and Mitigating NSSM 2.24 Privilege Escalation Vulnerabilities