A major security problem has been found in the JumpCloud Remote Assist for Windows agent, a tool used by over 180,000 organisations across 160 countries to manage their computers. This issue could allow a regular user on a company machine to take full, persistent control of that device.
The critical vulnerability, tracked as CVE-2025-34352, was found by security researcher Hillel Pinto at the firm XM Cyber. It has been given a High severity rating, with a CVSS v4.0 score of 8.5 out of 10.
High-Risk Vulnerability Explained
The problem lies in how the Remote Assist agent removes itself from a computer. When the main JumpCloud Agent uninstalls, it runs this cleanup process with the highest privileges available on a Windows machine, NT AUTHORITYSYSTEM. As we know it, a program running with these permissions has full, unrestricted control over the computer.
According to XM Cyber’s research blog, also authored by Hillel Pinto, the agent makes a critical mistake by performing file operations like writing or deleting files in a user’s temporary folder. This folder is a location that a standard, low-privileged user on the machine can control.
Agent Becomes the Attacker’s Tool
Researchers noted that the flaw makes the security tool itself a gateway for attack. An ordinary user on the compromised machine can trick the highly privileged uninstaller process into deleting or overwriting sensitive system files, rather than its own temporary files.
This vulnerability is immediately exploitable, which means a malicious local user could instantly achieve one of two outcomes:
- Local Privilege Escalation (LPE): Gaining the highest level of access (SYSTEM) to the endpoint. Pinto noted that an exploit against this agent translates directly into “full, persistent control over the endpoint.”
- Denial of Service (DoS): Causing the machine to crash completely.
Urgent Update Required
The security flaw is due to what researchers called a “known security pitfall,” where a privileged process interacts with a user-controlled directory.
Upon finding this flaw, the Pinto and his team followed a responsible disclosure process and notified JumpCloud. In response, the company confirmed the findings and has since released a fix. The fix addresses the main problem by correcting the way the privileged process handles files in user-controlled folders. It is advised that all organisations using the affected software must update immediately to version 0.317.0 or later to patch the issue.
Exclusive Commentary
Regarding this vulnerability discovery, Jim Routh, Chief Trust Officer at Saviynt, shared this comment with Hackread.com, stating, “This vulnerability is ‘eye candy’ for threat actors as it offers an approach to obtain privileged access over MS Windows devices at scale, covering over 180,000 enterprises.”
For business, Routh advised that “Enterprises have an opportunity to upgrade their privileged user management (PAM) system capabilities beyond password vaulting to include continuous validation of activity compared with an established pattern that operates in real time.
“Continuous validation capabilities can be built or bought as products today. Most PAM providers don’t offer continuous validation yet, but will in the near future. A mature PAM capability will reduce the risk of this threat tactic and vulnerability having a significant impact on an enterprise,” he emphasised.