A vulnerability in JumpCloud Distant Help for Home windows may enable attackers to escalate privileges and doubtlessly take over endpoints.
The bug exists as a result of, throughout uninstall and replace operations, the appliance invokes an uninstaller that performs privileged operations on a listing the person controls.
The flaw, tracked as CVE-2025-34352 (CVSS rating of 8.5), might be triggered through the elimination or replace of the JumpCloud Agent.
“The Distant Help uninstaller performs privileged create, write, execute, and delete actions on predictable information inside a user-writable %TEMP% subdirectory with out validating that the listing is trusted or resetting its ACLs when it already exists,” a NIST advisory reads.
This permits an unprivileged native attacker to pre-create the listing, on which the uninstaller then performs operations with NT AUTHORITYSYSTEM privileges.
In keeping with XM Cyber, which recognized the vulnerability, attackers can depend on symbolic hyperlinks and mount-point redirections to trick the uninstaller into performing operations on protected system information.
The JumpCloud Agent, the cybersecurity agency notes, dynamically builds the total path to the Distant Help folder, utilizing atmosphere variables, and appears for the uninstaller binary in that folder.
Each time the agent is eliminated, it removes JumpCloud Distant Help and all different parts.Commercial. Scroll to proceed studying.
Briefly, the privileged JumpCloud course of performs delete, write, and execute operations on information with predictable filenames, from an untrusted path.
Utilizing mount factors and symbolic hyperlinks, the attacker redirects the privileged operation and writes arbitrary information to any file, together with system information, which has two outcomes.
On the one hand, by using a Mount Level/Object Supervisor namespace assault, a menace actor can write information to the System32cng.sys driver, which might end in an infinite Blue Display screen of Loss of life (BSOD).
However, an attacker can abuse a Time-of-Examine to Time-of-Use (TOCTOU) race situation to delete the content material of the Config.Msi folder, exchange it, after which use a Home windows Installer LPE approach to execute a System shell.
The vulnerability was addressed in JumpCloud Distant Help for Home windows model 0.317.0. Organizations are suggested to replace to it as quickly as attainable.
“For vendor threat evaluation, affirm that no privileged course of executes arbitrary code, reads, or writes to a user-writable listing (like %TEMP%) with out explicitly setting or overriding the folder’s Entry Management Lists (ACLs),” XM Cyber notes.
Associated: In-the-Wild Exploitation of Contemporary Fortinet Flaws Begins
Associated: Atlassian Patches Important Apache Tika Flaw
Associated: Gladinet CentreStack Flaw Exploited to Hack Organizations
Associated: MITRE Releases 2025 Listing of High 25 Most Harmful Software program Vulnerabilities
