If an attacker has write access to a directory involved in the service execution chain (e.g., a directory with weak permissions where the service binary resides or a path containing spaces without quotes), they can plant a malicious executable. When the service is started or restarted, the operating system or NSSM will execute the malicious file with SYSTEM privileges.
# Attacker gains low-level access to the system $ login low_privileged_user nssm-2.24 privilege escalation
Are you looking to for your Windows services? If an attacker has write access to a
C:> copy malicious.exe "C:\Program Files\VulnerableApp\bin\nssm.exe" /Y C:> sc stop "VulnerableService" C:> sc start "VulnerableService" C:> copy malicious
References and further reading
When NSSM is bundled with third-party installers, it frequently inherits weak folder or file permissions, allowing low-privileged users to replace the nssm.exe binary or its managed application with malicious code.