icacls "C:\path\to\nssm.exe"
Each of these cases follows the same pattern: a third‑party product bundles NSSM 2.24 but fails to set restrictive NTFS permissions on the directory containing nssm.exe , allowing any authenticated user to replace the binary and escalate privileges when the associated service restarts.
Monitor for unusual service creation events (Event ID 7045) or changes to service configurations. Phoenix Contact to audit the permissions of all instances on your system? CVE-2016-20033 Detail - NVD nssm224 privilege escalation updated
During software procurement and deployment, evaluate whether the product includes NSSM (or any service helper) and how its files are permissioned. Use application whitelisting or controlled folder access (Windows Defender’s “Protected Folders”) to prevent unauthorized modifications to program directories.
The vulnerability arises when a service installed using NSSM has an executable path that contains spaces and is not enclosed within quotation marks. 1. The Root Cause: Unquoted Service Paths icacls "C:\path\to\nssm
| CVE ID | Affected Software/Vendor | Impact | Remediation Status | | :--- | :--- | :--- | :--- | | | Phoenix Contact DaUM (<2025.3.1) | Low-privileged user -> Admin rights | Update to 2025.3.1 or later | | CVE-2024-51448 | IBM Robotic Process Automation (21.0.0-23.0.18) | Non-privileged user -> Admin via substitution | Vendor patch required | | CVE-2016-20033 | Wowza Streaming Engine 4.5.0 | Everyone group -> LocalSystem via hijacking | Restrict permissions |
Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Select Name, PathName, StartName CVE-2016-20033 Detail - NVD During software procurement and
But as the progress bar hit 100%, a message appeared that wasn't his: "NSSM224 was never an update. It was a trap. We’ve been waiting for you to climb."
: He didn't just want admin rights; he wanted "God Mode." In the world of Elevation of Privilege (EoP) , this was the holy grail. The Consequences