A service is created using NSSM to run under the LocalSystem account.

Attackers typically target NSSM-managed services through the following methods: Unquoted Service Paths

The user has permissions to modify the registry keys associated with the NSSM service. How the Escalation Works

icacls "C:\YourServiceDirectory" /inheritance:d icacls "C:\YourServiceDirectory" /remove "Authenticated Users" icacls "C:\YourServiceDirectory" /remove "Users" Use code with caution. 2. Audit and Restrict Registry Permissions

Manually verify and correct permissions on nssm.exe installations:

| CVE ID | Affected Product | Affected Versions | Status | |--------|-----------------|-------------------|--------| | CVE-2025-41686 | Phoenix Contact Device and Update Management (DaUM) | < 2025.3.1 | Patched | | CVE-2025-41686 | Various applications using nssm.exe | All versions prior to patched release | Depends on vendor patch status | | CVE-2016-8742 | Apache CouchDB | 2.0.0 (Windows only) | Patched in 2.0.0.1 | | CVE-2016-20033 | Wowza Streaming Engine | 4.5.0 | No vendor fix provided | | CVE-2024-51448 | IBM Robotic Process Automation | 21.0.0-21.0.7.17, 23.0.0-23.0.18 | Patch available from vendor |

According to the official NVD Advisory for CVE-2025-41686, the exploitation mechanics are structured as follows:

Nssm-2.24 Privilege Escalation //free\\

A service is created using NSSM to run under the LocalSystem account.

Attackers typically target NSSM-managed services through the following methods: Unquoted Service Paths nssm-2.24 privilege escalation

The user has permissions to modify the registry keys associated with the NSSM service. How the Escalation Works A service is created using NSSM to run

Manually verify and correct permissions on nssm.exe installations:

According to the official NVD Advisory for CVE-2025-41686, the exploitation mechanics are structured as follows: