Each of these cases follows the same pattern: a third‑party product bundles NSSM 2.24 but fails to set restrictive NTFS permissions on the directory containing nssm.exe , allowing any authenticated user to replace the binary and escalate privileges when the associated service restarts.
Note: crafting service SDDL strings is error-prone; validate in test environments.
If you cannot update NSSM or the parent application, manually correct the permissions on nssm.exe : nssm224 privilege escalation updated
The existing CVE‑2025‑41686 references NSSM 2.24. The official NSSM site indicates that version 2.25 (available as a pre‑release) fixes several bugs, including a crash‑restart loop when running without sufficient rights. However, because version 2.25 is still labeled as “pre‑release” by some sources, unless you have independently verified that the installer correctly secures the binary’s permissions.
If successful, the attacker’s reverse_shell.exe runs as . Each of these cases follows the same pattern:
Look for (A;;RPWP;;;WD) or (A;;RPWPDT;;;AU) – these allow authenticated users to modify service configuration.
Enable auditing for HKLM\SYSTEM\CurrentControlSet\Services\ and alert on modifications to the Parameters subkey made by non-administrative users. The official NSSM site indicates that version 2
The classic attack vector for NSSM is a combination of two weaknesses: