JumpCloud Remote Assist for Windows Agent Flaw Let Attackers Escalate Privilege

Posted on By CWS

The JumpCloud Distant Help vulnerability (CVE-2025-34352) exposes Home windows methods to native privilege escalation and denial-of-service assaults. Found by XM Cyber researcher Hillel Pinto, the flaw stems from insecure file operations within the agent’s uninstaller.​

The JumpCloud Distant Help for Home windows agent, variations previous to 0.317.0, runs as NT AUTHORITYSYSTEM and performs file create, write, delete, and execute actions within the user-controlled %TEMP% listing with out correct validation.

This permits low-privileged native attackers to leverage symbolic hyperlinks or mount factors for arbitrary file manipulation. JumpCloud, a cloud listing service utilized by over 180,000 organizations, deploys this agent on managed endpoints to implement insurance policies and help distant entry.​

XM Cyber evaluation reveals the primary JumpCloud agent triggers Distant Help uninstallation throughout its personal elimination course of. The uninstaller checks for recordsdata like Un_A.exe in %TEMP%~nsuA.tmp, deleting present ones earlier than writing and executing new content material.

Attackers can pre-create this listing with weak permissions, redirecting operations by way of hyperlink following (CWE-59) or short-term file points (CWE-378). Reverse engineering, aided by Go binary metadata restoration, traces the trail development from surroundings variables to execution.​

For DoS, attackers create a mount level from %TEMP%~nsuA.tmp to a system listing like RPCControl, then symlink Un_A.exe to overwrite drivers similar to cng.sys, triggering crashes.

Privilege escalation makes use of a TOCTOU race with oplocks on C:Config.Msi, redirecting deletes to allow SYSTEM shell by way of Home windows Installer tips. These primitives grant persistent endpoint management, amplifying dangers in enterprise environments.​

Organizations should improve to JumpCloud Distant Help 0.317.0 or later instantly. Safety groups ought to audit brokers for operations in user-writable paths, implement ACLs on temp directories, and monitor for uninstall triggers. JumpCloud confirmed the problem post-disclosure and launched the repair promptly.​

Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

New Supply Chain Attack Targets Legitimate npm Package with 45,000 Weekly Downloads Cyber Security News
Developers Expose Passwords and API Keys via Online Tools like JSONFormatter Cyber Security News
Open-Source Tool for Salesforce Aura Framework Misconfiguration Analysis Cyber Security News
Seraphic Becomes the First and Only Secure Enterprise Browser Solution to Protect Electron-Based Applications Cyber Security News
Red Hat Openshift AI Service Vulnerability Allow Attackers to Take Control of the Infrastructure Cyber Security News
NVIDIA Merlin Vulnerabilities Let Attackers Execute Malicious Code and Trigger DoS Condition Cyber Security News