Nssm224 Privilege Escalation Updated Review

Researchers discovered that in NSSM 2.24, the Parameters subkey (which holds Application, AppDirectory, AppParameters) is not always protected. If the installer used the default NSSM service creation without adjusting registry permissions:

Mitigation (for admins): Manually restrict ACLs on the service Parameters registry key. NSSM 2.24 does not do this automatically. nssm224 privilege escalation updated

Get-CimInstance Win32_Service | Where-Object 
    Where-Object  $_.IdentityReference -eq "BUILTIN\Users" -and $_.FileSystemRights -match "Write"

The infamous nssm224 privilege escalation issue is not a bug in NSSM’s code per se. Instead, it stems from misconfigurations combined with NSSM’s default behavior. Researchers discovered that in NSSM 2

# Restrict change config to administrators only
sc sdset VulnService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)"

Rule ID: e6db77e5-3df2-4cf1-b95a-636979351e5b (Block process creations originating from PSExec and WMI commands often used with NSSM). Mitigation (for admins): Manually restrict ACLs on the

A newly documented vector in Q1 2026 involves the AppDirectory setting. If an attacker cannot change the Application path (due to strict ACLs), but can change the AppDirectory to a user-writable folder (e.g., C:\Temp), and the original executable loads relative DLLs: