Windows Security Event ID 4697 (Service Installation) should be monitored for services created with binary paths pointing to nssm.exe instances. Cross-reference these installations with authorized change management records to identify potentially malicious service creation.
: Ensure that the directory containing nssm.exe and the executable it manages are only writable by Administrators .
nssm remove <servicename> confirm
However, NSSM 2.24 mitigates this partially by calling SetDllDirectory("") and using fully qualified paths for system DLLs. No public, reliable exploit chain exists for DLL hijacking in 2.24 itself unless the user overrides environment variables.
When an attacker sends a malicious request to the NSSM service, the nssm_validate_service function processes the request and fails to properly validate the input parameters. This leads to a buffer overflow, which can be exploited by an attacker to execute arbitrary code on the system.
To mitigate the NSSM-2.24 exploit, users should upgrade to a newer version of NSSM that is not vulnerable to the exploit. NSSM version 2.26 and later versions have been patched to fix the vulnerability.
The NSSM-2.24 exploit is a vulnerability that was discovered in version 2.24 of NSSM. This version was released in 2019 and was widely used in various Windows environments. The vulnerability allows an attacker to escalate privileges and execute arbitrary code on a system running NSSM-2.24.
Allows a local user to gain SYSTEM or Administrative access.
| Date | Event | |------|-------| | August 12, 2025 | Vulnerability published and coordinated by CERT@VDE | | August 12, 2025 | NVD publishes first CVSS score of 7.8 | | August 14, 2025 | Red Hat Security Advisory released |
Windows Security Event ID 4697 (Service Installation) should be monitored for services created with binary paths pointing to nssm.exe instances. Cross-reference these installations with authorized change management records to identify potentially malicious service creation.
: Ensure that the directory containing nssm.exe and the executable it manages are only writable by Administrators .
nssm remove <servicename> confirm
However, NSSM 2.24 mitigates this partially by calling SetDllDirectory("") and using fully qualified paths for system DLLs. No public, reliable exploit chain exists for DLL hijacking in 2.24 itself unless the user overrides environment variables.
When an attacker sends a malicious request to the NSSM service, the nssm_validate_service function processes the request and fails to properly validate the input parameters. This leads to a buffer overflow, which can be exploited by an attacker to execute arbitrary code on the system. nssm-2.24 exploit
To mitigate the NSSM-2.24 exploit, users should upgrade to a newer version of NSSM that is not vulnerable to the exploit. NSSM version 2.26 and later versions have been patched to fix the vulnerability.
The NSSM-2.24 exploit is a vulnerability that was discovered in version 2.24 of NSSM. This version was released in 2019 and was widely used in various Windows environments. The vulnerability allows an attacker to escalate privileges and execute arbitrary code on a system running NSSM-2.24. Windows Security Event ID 4697 (Service Installation) should
Allows a local user to gain SYSTEM or Administrative access.
| Date | Event | |------|-------| | August 12, 2025 | Vulnerability published and coordinated by CERT@VDE | | August 12, 2025 | NVD publishes first CVSS score of 7.8 | | August 14, 2025 | Red Hat Security Advisory released | nssm remove <servicename> confirm
However, NSSM 2