JumpCloud Remote Assist Windows Agent Vulnerability Allows Privilege Escalation

A critical vulnerability has been discovered in the JumpCloud Remote Assist for Windows agent, allowing low-privileged users to gain NT AUTHORITY\SYSTEM privileges or crash the system. This vulnerability, tracked as CVE-2025-34352, affects versions prior to 0.317.0 and has been rated as High severity with a CVSS v4.0 score of 8.5.

JumpCloud is a widely used cloud-based Directory-as-a-Service and identity platform, with over 180,000 organizations globally relying on it. The vulnerability resides in the Windows uninstaller of the JumpCloud Remote Assist component, which runs with the highest system privileges to manage endpoints and enforce policies.

Property Details
Vulnerability ID CVE-2025-34352
Severity High (CVSS v4.0 Score: 8.5)
Affected Component JumpCloud Remote Assist for Windows
Affected Versions All versions prior to 0.317.0
Attack Vector Local (LPE)

The JumpCloud Agent runs with the highest system privileges, making any weakness in its components a direct path to full device compromise. During uninstallation of the main JumpCloud Agent, the process also triggers removal of Remote Assist, running as NT AUTHORITY\SYSTEM.

Uninstaller’s binary location
Uninstaller’s binary location

The uninstaller performs file operations in the user’s %TEMP% directory, a location fully under control of a low-privileged user. The uninstaller checks for and manipulates a file named Un_A.exe inside a temporary directory, which can be deleted, created, written, and executed while running with SYSTEM privileges.

jumpcloud-agent.exe symbols restored
jumpcloud-agent.exe symbols restored

An attacker can abuse this behavior using mount points and symbolic link tricks, allowing them to either achieve arbitrary file write to sensitive system files or exploit arbitrary file delete via a race condition and Windows Installer techniques. This can lead to Denial of Service (DoS) through repeated Blue Screen of Death (BSOD) or obtain a full SYSTEM shell and persistent control of the endpoint.

  • Achieve arbitrary file write to sensitive system files, leading to Denial of Service (DoS) through repeated Blue Screen of Death (BSOD).
  • Exploit arbitrary file delete via a race condition and Windows Installer techniques, eventually obtaining a full SYSTEM shell and persistent control of the endpoint.

In practical terms, any user with an account on a vulnerable Windows endpoint where the JumpCloud Agent and Remote Assist are installed can turn the legitimate security agent into an attack tool. Successful exploitation grants full control over the machine, enabling installation of malware, data theft, or further lateral movement inside the network.

The root cause is a classic but severe design flaw: a highly privileged process performing sensitive file operations inside a user-controlled, writable directory without proper protections. According to XMCyber, this pattern has long been known to be dangerous on Windows, yet still appears in modern agent implementations.

JumpCloud has released a fix, and all organizations using JumpCloud Remote Assist for Windows should immediately update to version 0.317.0 or later. Security teams are strongly advised to verify that all managed Windows devices have received the update, review their endpoint hardening policies, and ensure that no other privileged processes perform file operations in user-writable locations such as %TEMP% without strict access controls.

Prompt patching is essential, as the vulnerability is straightforward to exploit locally and directly undermines the trust placed in endpoint management and remote assistance tools.

Related Articles

Back to top button