JumpCloud Windows Agent Flaw Enables Local Privilege Escalation
Summary:
The JumpCloud Remote Assist for Windows agent is affected by a critical security flaw, tracked as CVE-2025-34352, which enables Local Privilege Escalation (LPE) and Denial-of-Service (DoS) attacks.
The vulnerability affects all agent versions prior to 0.317.0 and stems from unsafe file operations executed during the agent's uninstallation workflow. Specifically, when the uninstaller runs with NT AUTHORITY\SYSTEM privileges, it performs file write and delete operations within the user-writable %TEMP% directory.
A low-privileged local attacker can exploit this by leveraging link-following attacks (e.g., symbolic links or mount points) to redirect these privileged file operations from the %TEMP% directory to protected system files or directories.
This malicious redirection allows the attacker to corrupt critical Windows drivers, resulting in system crashes (DoS), or gain persistent SYSTEM-level access, leading to a full system compromise.
Security Officer Comments:
JumpCloud Remote Assist for Windows is often used by IT professionals and Managed Service Providers (MSPs) within organizations that rely on the JumpCloud Directory Platform for cloud-based identity and device management.
JumpCloud serves a large, global customer base, including more than 180,000 organizations across 160 countries. The platform, and by extension Remote Assist, is widely adopted by Small to Medium-sized Enterprises (SMEs).
The vulnerability's severity stems from the ability of a low-privileged local user to escalate to the highest system privilege, NT AUTHORITY\SYSTEM, on a widely deployed endpoint management platform.
Suggested Corrections:
JumpCloud has been informed and organizations are strongly advised to update the agent to version 0.317.0 or later to mitigate this risk.
https://xmcyber.com/blog/jumpshot-x...escalation-cve-2025-34352-in-jumpcloud-agent/
The JumpCloud Remote Assist for Windows agent is affected by a critical security flaw, tracked as CVE-2025-34352, which enables Local Privilege Escalation (LPE) and Denial-of-Service (DoS) attacks.
The vulnerability affects all agent versions prior to 0.317.0 and stems from unsafe file operations executed during the agent's uninstallation workflow. Specifically, when the uninstaller runs with NT AUTHORITY\SYSTEM privileges, it performs file write and delete operations within the user-writable %TEMP% directory.
A low-privileged local attacker can exploit this by leveraging link-following attacks (e.g., symbolic links or mount points) to redirect these privileged file operations from the %TEMP% directory to protected system files or directories.
This malicious redirection allows the attacker to corrupt critical Windows drivers, resulting in system crashes (DoS), or gain persistent SYSTEM-level access, leading to a full system compromise.
Security Officer Comments:
JumpCloud Remote Assist for Windows is often used by IT professionals and Managed Service Providers (MSPs) within organizations that rely on the JumpCloud Directory Platform for cloud-based identity and device management.
JumpCloud serves a large, global customer base, including more than 180,000 organizations across 160 countries. The platform, and by extension Remote Assist, is widely adopted by Small to Medium-sized Enterprises (SMEs).
The vulnerability's severity stems from the ability of a low-privileged local user to escalate to the highest system privilege, NT AUTHORITY\SYSTEM, on a widely deployed endpoint management platform.
- Successful exploitation grants the attacker persistent, absolute control over the Windows endpoint.
- Attackers can force the SYSTEM-privileged uninstaller to perform file write or delete operations on any file on the system.
- Observed scenarios include corrupting critical Windows drivers (e.g., system files) via arbitrary file writes, resulting in repeated Blue Screen of Death (BSOD) crashes, rendering the system unusable.
- Attackers can delete protected system directories.
Suggested Corrections:
JumpCloud has been informed and organizations are strongly advised to update the agent to version 0.317.0 or later to mitigate this risk.
- Patch Immediately: Organizations must update all Windows devices running the JumpCloud Agent to version 0.317.0 or later. This version contains the fix for CVE-2025-34352.
- Avoid Uncontrolled User-Writable Paths: Privileged processes (running as SYSTEM) should strictly avoid performing file operations (read, write, delete, execute) within user-writable paths like %TEMP% without rigorous validation.
- Explicit Access Controls: If interaction with user-writable paths is unavoidable, the privileged process must explicitly set or override the folder's Access Control Lists (ACLs) to prevent manipulation by a low-privileged user.
https://xmcyber.com/blog/jumpshot-x...escalation-cve-2025-34352-in-jumpcloud-agent/