A critical local privilege escalation vulnerability in the JumpCloud Remote Assist for Windows agent allows any low-privileged user on a Windows system to gain NT AUTHORITYSYSTEM privileges or crash the machine.
Tracked as CVE-2025-34352, the flaw affects JumpCloud Remote Assist for Windows versions prior to 0.317.0 and has been rated High severity (CVSS v4.0: 8.5).
JumpCloud is a widely used cloud-based Directory-as-a-Service and identity platform, deployed across more than 180,000 organizations globally.
| Property | Details |
| Vulnerability ID | CVE-2025-34352 |
| Severity | High (CVSS v4.0 Score: 8.5) |
| Affected Component | JumpCloud Remote Assist for Windows |
| Affected Versions | All versions prior to 0.317.0 |
| Attack Vector | Local (LPE) |
The JumpCloud Agent runs with the highest system privileges to manage endpoints and enforce policies. This makes any weakness in its components a direct path to full device compromise.
In this case, the vulnerability resides in the Windows uninstaller of the JumpCloud Remote Assist component.
During uninstallation of the main JumpCloud Agent, the process also triggers removal of Remote Assist, running as NT AUTHORITYSYSTEM.
The uninstaller performs file operations in the user’s %TEMP% directory, a location fully under control of a low-privileged user.
The uninstaller checks for and manipulates a file named Un_A.exe inside a temporary directory (for example, %TEMP%~nsuA.tmp).
It may delete, create, write, and then execute this file, all while running with SYSTEM privileges.
Because the path and filename are predictable and located in a user-writable directory, an attacker can abuse this behavior using mount points and symbolic link tricks.
By carefully redirecting these privileged file operations, a local attacker can either:
- Achieve arbitrary file write to sensitive system files, such as critical drivers, leading to Denial of Service (DoS) through repeated Blue Screen of Death (BSOD).
- Exploit arbitrary file delete via a race condition and Windows Installer techniques, eventually obtaining a full SYSTEM shell and persistent control of the endpoint.
In practical terms, any user with an account on a vulnerable Windows endpoint where the JumpCloud Agent and Remote Assist are installed can turn the legitimate security agent into an attack tool.
Successful exploitation grants full control over the machine, enabling installation of malware, data theft, or further lateral movement inside the network.
The root cause is a classic but severe design flaw: a highly privileged process performing sensitive file operations inside a user-controlled, writable directory without proper protections.
According to XMCyber, this pattern has long been known to be dangerous on Windows, yet still appears in modern agent implementations.
JumpCloud has released a fix, and all organizations using JumpCloud Remote Assist for Windows should immediately update to version 0.317.0 or later.
Security teams are strongly advised to verify that all managed Windows devices have received the update, review their endpoint hardening policies, and ensure that no other privileged processes perform file operations in user-writable locations such as %TEMP% without strict access controls.
Prompt patching is essential, as the vulnerability is straightforward to exploit locally and directly undermines the trust placed in endpoint management and remote assistance tools.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.