JumpCloud Remote Assist for Windows Agent Flaw Let Attackers Escalate Privilege

Posted on By CWS

The JumpCloud Distant Help vulnerability (CVE-2025-34352) exposes Home windows methods to native privilege escalation and denial-of-service assaults. Found by XM Cyber researcher Hillel Pinto, the flaw stems from insecure file operations within the agent’s uninstaller.​

The JumpCloud Distant Help for Home windows agent, variations previous to 0.317.0, runs as NT AUTHORITYSYSTEM and performs file create, write, delete, and execute actions within the user-controlled %TEMP% listing with out correct validation.

This permits low-privileged native attackers to leverage symbolic hyperlinks or mount factors for arbitrary file manipulation. JumpCloud, a cloud listing service utilized by over 180,000 organizations, deploys this agent on managed endpoints to implement insurance policies and help distant entry.​

XM Cyber evaluation reveals the primary JumpCloud agent triggers Distant Help uninstallation throughout its personal elimination course of. The uninstaller checks for recordsdata like Un_A.exe in %TEMP%~nsuA.tmp, deleting present ones earlier than writing and executing new content material.

Attackers can pre-create this listing with weak permissions, redirecting operations by way of hyperlink following (CWE-59) or short-term file points (CWE-378). Reverse engineering, aided by Go binary metadata restoration, traces the trail development from surroundings variables to execution.​

For DoS, attackers create a mount level from %TEMP%~nsuA.tmp to a system listing like RPCControl, then symlink Un_A.exe to overwrite drivers similar to cng.sys, triggering crashes.

Privilege escalation makes use of a TOCTOU race with oplocks on C:Config.Msi, redirecting deletes to allow SYSTEM shell by way of Home windows Installer tips. These primitives grant persistent endpoint management, amplifying dangers in enterprise environments.​

Organizations should improve to JumpCloud Distant Help 0.317.0 or later instantly. Safety groups ought to audit brokers for operations in user-writable paths, implement ACLs on temp directories, and monitor for uninstall triggers. JumpCloud confirmed the problem post-disclosure and launched the repair promptly.​

Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

New PCPcat Exploiting React2Shell Vulnerability to compromise 59,000+ Servers Cyber Security News
Top 10 Best Digital Footprint Monitoring Tools For Organizations 2025 Cyber Security News
Eurofiber Data Breach – Hackers Exploited Vulnerability to Exfiltrate Users’ Data Cyber Security News
SAP’s July 2025 Patch Day Cyber Security News
Arizona Woman Sentenced for Helping North Korean IT Workers by Operating Laptop Farm Cyber Security News
Qilin Ransomware Gain Traction Following Legal Assistance Option for Ransomware Affiliates Cyber Security News