Description
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.
Published: 2026-03-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability exists in Wowza Streaming Engine version 4.5.0. Improper file permissions grant full access to the Everyone group on certain executables, notably nssm_x64.exe. An authenticated user can replace the binary with a malicious executable. When the manager or engine service restarts, the replaced binary runs with LocalSystem privileges, giving the attacker complete control over the host. The weakness is a case of unauthorized modification of a privileged resource (CWE-639).

Affected Systems

The affected product is Wowza Media Systems, LLC – Wowza Streaming Engine 4.5.0. Only this specific release is impacted, as indicated by the CPE string cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS v3.1 score is 8.5, classifying it as High severity. The EPSS score is under 1%, indicating a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no widespread, documented exploits. Attackers need local authentication to replace the binary; however, once they do, the exploitation path is straightforward and delivers SYSTEM-level privileges upon service restart. Because the attack vector requires local access, the immediate risk is highest for environments where users have local administrative or service restart rights.

Generated by OpenCVE AI on March 19, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wowza Streaming Engine to a version that resolves the privilege escalation issue (any release newer than 4.5.0).
  • Restrict file permissions on nssm_x64.exe and any related executables so that only administrators or system accounts have write and replace rights, removing Everyone group write access.
  • If upgrading is not immediately possible, disable the service restart rights for non-administrative users or enforce that services run under a dedicated service account with minimal privileges.
  • Implement file integrity monitoring on the nssm_x64.exe binary to detect unauthorized modifications.
  • Regularly audit system users and service configurations to ensure no unnecessary privileged accounts exist.

Generated by OpenCVE AI on March 19, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 15 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.
Title Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe
First Time appeared Wowza
Wowza streaming Engine
Weaknesses CWE-639
CPEs cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*
Vendors & Products Wowza
Wowza streaming Engine
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wowza Streaming Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:30:30.462Z

Reserved: 2026-03-15T18:21:47.205Z

Link: CVE-2016-20033

cve-icon Vulnrichment

Updated: 2026-03-16T14:21:05.914Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:50.297

Modified: 2026-03-19T14:16:04.273

Link: CVE-2016-20033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:25Z

Weaknesses