C:\Program Files\NSSM\nssm.exe install BadService C:\My Tools\app.exe If C:\My.exe exists, Windows will execute it before C:\My Tools\app.exe . This is a classic unquoted service path vulnerability.
That said, NSSM 2.24 remains a powerful tool for defenders and adversaries alike. Treat every instance of NSSM on your endpoints as a potential indicator of lateral movement or persistence. Harden service permissions, monitor process creation, and never assume a legitimate utility is safe by default. Last updated: 2025. Always verify with current threat intelligence feeds. For the latest NSSM updates, visit https://nssm.cc. nssm-2.24 exploit
<EventID>1</EventID> <Data name="Image" condition="end with">nssm.exe</Data> <Data name="CommandLine" condition="contains">install</Data> Run PowerShell to audit services installed by NSSM: C:\Program Files\NSSM\nssm
—it is a configuration weakness inherited from Windows service security models. Any service installer (sc, PowerShell) faces the same risk. Claim 2: DLL Hijacking in NSSM 2.24 Reality: Older versions of NSSM (pre-2.24) had a potential DLL search-order hijacking issue. When NSSM starts, it loads certain system DLLs. If an attacker places a malicious version.dll or winmm.dll in the same directory as nssm.exe and a privileged user runs NSSM, code execution could occur. Treat every instance of NSSM on your endpoints
This article dissects what this exploit actually is—since no official CVE (Common Vulnerabilities and Exposure) is directly tied to NSSM 2.24—how attackers abuse legitimate features of NSSM, and why security teams must treat this tool as a potential attack vector. NSSM (Non-Sucking Service Manager) is an open-source utility that allows users to run any executable as a Windows service. Unlike sc create or instsrv , NSSM automatically handles restart policies, logging, and process monitoring. Version 2.24 is the last stable release before the beta 2.25 (2016) and the current 2.25-101 (2024).
The "exploit" is often a reference to older NSSM versions or general DLL side-loading techniques, not a 2.24-specific memory corruption. Claim 3: Unquoted Service Path Vulnerability Reality: Like any service created with CreateService() , if the path to the executable contains spaces and is not enclosed in quotes, Windows will try to interpret each space-separated token as an executable. For example:
NSSM 2.24 does automatically quote the binary path. It is the administrator’s responsibility to use quotes: