The JumpCloud Remote Assist vulnerability (CVE-2025-34352) exposes Windows systems to local privilege escalation and denial-of-service attacks. Discovered by XM Cyber researcher Hillel Pinto, the flaw stems from insecure file operations in the agent’s uninstaller.
The JumpCloud Remote Assist for Windows agent, versions prior to 0.317.0, runs as NT AUTHORITYSYSTEM and performs file create, write, delete, and execute actions in the user-controlled %TEMP% directory without proper validation.
This allows low-privileged local attackers to leverage symbolic links or mount points for arbitrary file manipulation. JumpCloud, a cloud directory service used by over 180,000 organizations, deploys this agent on managed endpoints to enforce policies and support remote access.
XM Cyber analysis reveals the main JumpCloud agent triggers Remote Assist uninstallation during its own removal process. The uninstaller checks for files like Un_A.exe in %TEMP%~nsuA.tmp, deleting existing ones before writing and executing new content.
Attackers can pre-create this directory with weak permissions, redirecting operations via link following (CWE-59) or temporary file issues (CWE-378). Reverse engineering, aided by Go binary metadata recovery, traces the path construction from environment variables to execution.
For DoS, attackers create a mount point from %TEMP%~nsuA.tmp to a system directory like RPCControl, then symlink Un_A.exe to overwrite drivers such as cng.sys, triggering crashes.
Privilege escalation uses a TOCTOU race with oplocks on C:Config.Msi, redirecting deletes to enable SYSTEM shell via Windows Installer tricks. These primitives grant persistent endpoint control, amplifying risks in enterprise environments.
Organizations must upgrade to JumpCloud Remote Assist 0.317.0 or later immediately. Security teams should audit agents for operations in user-writable paths, enforce ACLs on temp directories, and monitor for uninstall triggers. JumpCloud confirmed the issue post-disclosure and released the fix promptly.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
