JumpCloud Remote Assist for Windows Agent Flaw Let Attackers Escalate Privilege

JumpCloud Remote Assist for Windows Agent Flaw Let Attackers Escalate Privilege

Posted on By CWS

The JumpCloud Distant Help vulnerability (CVE-2025-34352) exposes Home windows methods to native privilege escalation and denial-of-service assaults. Found by XM Cyber researcher Hillel Pinto, the flaw stems from insecure file operations within the agent’s uninstaller.​

The JumpCloud Distant Help for Home windows agent, variations previous to 0.317.0, runs as NT AUTHORITYSYSTEM and performs file create, write, delete, and execute actions within the user-controlled %TEMP% listing with out correct validation.

This permits low-privileged native attackers to leverage symbolic hyperlinks or mount factors for arbitrary file manipulation. JumpCloud, a cloud listing service utilized by over 180,000 organizations, deploys this agent on managed endpoints to implement insurance policies and help distant entry.​

XM Cyber evaluation reveals the primary JumpCloud agent triggers Distant Help uninstallation throughout its personal elimination course of. The uninstaller checks for recordsdata like Un_A.exe in %TEMP%~nsuA.tmp, deleting present ones earlier than writing and executing new content material.

Attackers can pre-create this listing with weak permissions, redirecting operations by way of hyperlink following (CWE-59) or short-term file points (CWE-378). Reverse engineering, aided by Go binary metadata restoration, traces the trail development from surroundings variables to execution.​

For DoS, attackers create a mount level from %TEMP%~nsuA.tmp to a system listing like RPCControl, then symlink Un_A.exe to overwrite drivers similar to cng.sys, triggering crashes.

Privilege escalation makes use of a TOCTOU race with oplocks on C:Config.Msi, redirecting deletes to allow SYSTEM shell by way of Home windows Installer tips. These primitives grant persistent endpoint management, amplifying dangers in enterprise environments.​

Organizations should improve to JumpCloud Distant Help 0.317.0 or later instantly. Safety groups ought to audit brokers for operations in user-writable paths, implement ACLs on temp directories, and monitor for uninstall triggers. JumpCloud confirmed the problem post-disclosure and launched the repair promptly.​

Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

BlackSuit Ransomware Servers Attacking U.S. Critical Infrastructure Seized by Law Enforcement Seizes BlackSuit Ransomware Servers Attacking U.S. Critical Infrastructure Seized by Law Enforcement Seizes Cyber Security News
Microsoft Investigates Defender Portal Access Issues Following Traffic Spike Microsoft Investigates Defender Portal Access Issues Following Traffic Spike Cyber Security News
Critical Adobe Acrobat Flaws Allow Code Execution Critical Adobe Acrobat Flaws Allow Code Execution Cyber Security News
Qilin Ransomware Leveraging Mspaint and Notepad to Find Files with Sensitive Information Qilin Ransomware Leveraging Mspaint and Notepad to Find Files with Sensitive Information Cyber Security News
APT36 Attacking BOSS Linux Systems With Weaponized ZIP Files to Steal Sensitive Data APT36 Attacking BOSS Linux Systems With Weaponized ZIP Files to Steal Sensitive Data Cyber Security News
Critical MongoDB Vulnerability Exposes Sensitive Data via Zlib Compression Critical MongoDB Vulnerability Exposes Sensitive Data via Zlib Compression Cyber Security News