Nssm-2.24 Privilege Escalation Today

CVE-2016-20033 Severity: High (CVSS: 7.8) Attack Vector: Local (AV:L) Privileges Required: Low (PR:L)

Version 2.24 was the last build before these patches. It exists in countless enterprise golden images, legacy application stacks, and developer test environments where security updates are deprioritized.

Understanding NSSM 2.24 Privilege Escalation: Vulnerability Analysis and Remediation nssm-2.24 privilege escalation

: Local (Requires existing command-line or shell access to the host).

Vendor guidance and disclosure practices CVE-2016-20033 Severity: High (CVSS: 7

The Non-Sucking Service Manager (NSSM) version 2.24 is susceptible to a Local Privilege Escalation (LPE) vulnerability. NSSM is a utility used to wrap arbitrary applications as Windows Services. Due to insufficient sanitization of the application path and arguments when installed as a service, a local attacker can manipulate the service binary path to execute arbitrary code with SYSTEM privileges.

Never store service executables in folders where standard users have write access. Never store service executables in folders where standard

The vulnerability in NSSM 2.24 subverts this logic not by breaking the Windows security model, but by mishandling how the service binary executes after installation.

Privilege escalation involving NSSM 2.24 generally stems from two primary vectors: and Insecure Registry Permissions . 1. Insecure File Permissions (Weak Folder ACLs)

NSSM operates by acting as a wrapper. When you register a service using NSSM, Windows actually starts nssm.exe . In turn, NSSM reads configuration parameters from the Windows Registry to determine which actual executable, arguments, and I/O redirection to spin up.