due to how third-party installers deploy it with insecure permissions. The "Ghost in the Service" LPE Feature
To mitigate the NSSM-2.24 exploit, administrators should immediately upgrade to NSSM version 2.26 or later. The patched version of NSSM includes several security enhancements, including input validation and improved error handling, which prevent the exploit from working.
Recent security advisories, such as (published August 2025), highlight how improper permissions on nssm.exe can allow low-privileged local attackers to gain full administrative access. Why NSSM 2.24 is Targeted nssm-2.24 exploit
To understand how the NSSM-2.24 exploit works, it's crucial to delve into the technical details of the vulnerability. The exploit typically involves:
Red Hat Product Security analyzed CVE-2025-41686 and determined that the vulnerability does not affect any currently supported Red Hat product, as the issue is specific to the Phoenix Contact DaUM Windows installer implementation rather than the core NSSM codebase. due to how third-party installers deploy it with
To mitigate the NSSM-2.24 exploit, users should upgrade to a newer version of NSSM that is not vulnerable to the exploit. NSSM version 2.26 and later versions have been patched to fix the vulnerability.
A "shadow" user—a low-privileged account compromised via a simple phishing email—didn't need to crack a complex password. They simply had to: the nssm.exe file. Rename it to nssm.exe.bak . Recent security advisories, such as (published August 2025),
Generate a malicious executable (e.g., using MSFvenom) that performs an action like adding a new administrator user or opening a reverse shell:
Utilize security tools and software that can help detect and prevent exploits.
