Nssm-2.24 Privilege Escalation ^new^ ✰

Technical background (how unquoted service path LPE works)

: Monitoring tools (like Sysmon) triggering alerts when nssm.exe spawns unexpected shells like cmd.exe or powershell.exe with SYSTEM privileges. nssm-2.24 privilege escalation

The is a popular open-source utility designed to run native Windows applications as services. Its ease of use—allowing administrators to wrap any executable, script, or batch file into a service—has made it a staple in IT automation, DevOps, and software packaging. Technical background (how unquoted service path LPE works)

Ensure that service installation directories have appropriate permissions. Vulnerabilities often arise because the parent directory—not the binary itself—has weak permissions that are inherited by child files. Secure both the binary and its containing folder. The "AppDirectory" and Registry Weakness

$ cd C:\ProgramData\SomeApp\bin

A working exploit was published on by researcher hyp3rlinx, demonstrating the practical exploitability of this issue. The sc qc command revealed that the service was configured to run as LocalSystem , further confirming the elevated execution context.

When the service restarts (either via a system reboot or manual trigger), the malicious binary runs with SYSTEM privileges. The "AppDirectory" and Registry Weakness