An authenticated, low-privileged user can achieve full SYSTEM privileges on the affected host. This compromises integrity, confidentiality, and availability.
Attackers can install a NSSM service pointing to cmd.exe /c net user backdoor P@ssw0rd /add & net localgroup administrators backdoor /add . After the next reboot, the backdoor user is created. nssm-2.24 privilege escalation
Affected versions
: If a service's executable path contains spaces and is not enclosed in double quotes, Windows may misinterpret the path. For example, if the path is C:\Program Files\My Service\nssm.exe , Windows might try to execute C:\Program.exe first. After the next reboot, the backdoor user is created
Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards: Later versions of NSSM (2
In multi-tenant environments (VDI, Citrix, shared kiosks), a low-privilege user who finds NSSM 2.24 installed on the base image can escalate to SYSTEM and escape their session container.