Critical Vulnerability in JumpCloud Remote Assist: CVE-2025-34352 Allows Privilege Escalation

Overview

CVE-2025-34352 details a critical vulnerability affecting JumpCloud Remote Assist for Windows versions prior to 0.317.0. This flaw allows a local, low-privileged attacker to potentially escalate their privileges to SYSTEM, the highest level of privilege on a Windows system. This is achieved by exploiting insecure handling of temporary directories during the uninstallation or update process of Remote Assist. The vulnerability arises from predictable file paths created in a user-writable `%TEMP%` directory.

Technical Details

The JumpCloud Windows Agent invokes the Remote Assist uninstaller with NT AUTHORITY\SYSTEM privileges during uninstall or update operations. The vulnerable uninstaller performs privileged operations (create, write, execute, delete) on files within a user-writable `%TEMP%` directory. The critical issue is the lack of validation and ACL resetting on this directory. A low-privileged attacker can pre-create this directory with weakened permissions, gaining control over its contents. This control enables the attacker to:

• Coerce arbitrary file writes: By using mount points or symbolic links, the attacker can redirect the uninstaller’s write operations to protected locations, leading to denial of service (DoS) by overwriting critical system files.
• Redirect DeleteFileW() calls: The attacker can win a race condition and redirect `DeleteFileW()` calls to attacker-chosen targets, enabling arbitrary file or folder deletion.

These actions can ultimately lead to local privilege escalation to SYSTEM.

CVSS Analysis

Due to the nature of this CVE being recently published there is no CVSS score available currently. The impact of this vulnerability is severe, enabling a local attacker to escalate their privileges to SYSTEM. Based on this the CVSS score will likely be a high score once it is available.

*As soon as the CVSS score is made available, this section will be updated accordingly.

Possible Impact

The successful exploitation of CVE-2025-34352 can have severe consequences:

• Complete System Compromise: An attacker gaining SYSTEM privileges has full control over the affected Windows system.
• Data Theft: With SYSTEM privileges, an attacker can access and exfiltrate sensitive data stored on the system.
• Malware Installation: The attacker can install malware, including ransomware, with the highest level of permissions.
• Lateral Movement: A compromised system can be used as a launchpad for attacks on other systems within the network.
• Denial of Service: Overwriting system files can render the system unusable.

Mitigation or Patch Steps

The vulnerability is fixed in JumpCloud Remote Assist version 0.317.0. The following steps should be taken immediately:

1. Upgrade to JumpCloud Remote Assist 0.317.0 or later: This is the primary mitigation. Ensure all systems with JumpCloud Remote Assist installed are updated to the latest version.
2. Monitor Systems: Closely monitor systems for suspicious activity in the `%TEMP%` directory, especially around JumpCloud Agent updates or uninstallations.
3. Implement Least Privilege: Follow the principle of least privilege. Limit user access to only what is necessary for their job functions.

References

• JumpCloud Remote Assistance
• JumpCloud Agent Release Notes
• VulnCheck Advisory: JumpCloud Remote Assist Arbitrary File Write/Delete via Insecure Temp Directory