Nssm224 Privilege Escalation Updated [exclusive] Jun 2026

If the service runs as SYSTEM, an attacker with write access to C:\ or C:\Program Files\ can place a malicious Program.exe or Files.exe . When the service starts, the attacker’s binary executes with SYSTEM rights.

CVE‑2025‑41686 has been assigned a by the National Vulnerability Database. The vector string is: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H . nssm224 privilege escalation updated

A PoC exploit has been developed, which demonstrates the vulnerability. The PoC exploit: If the service runs as SYSTEM, an attacker

# Attacker gains low-level access to the system $ login low_privileged_user The vector string is: CVSS:3

) was discovered in 2025 affecting various products that bundle

The existing CVE‑2025‑41686 references NSSM 2.24. The official NSSM site indicates that version 2.25 (available as a pre‑release) fixes several bugs, including a crash‑restart loop when running without sufficient rights. However, because version 2.25 is still labeled as “pre‑release” by some sources, unless you have independently verified that the installer correctly secures the binary’s permissions.