JumpCloud patched a high-severity vulnerability in its JumpCloud Remote Assist for Windows agent that could enable local privilege escalation or denial of service, XM Cyber disclosed Monday.The flaw, tracked as CVE-2025-34352, takes advantage of the fact that JumpCloud’s Windows uninstaller uses system privileges to write and delete files in the %TEMP% folder, the contents of which can be controlled by a low-privileged user.A malicious low-privileged user could use mount-points and symbolic links (symlinks) to manipulate where files are deleted or written to by the privileged uninstaller.“This vulnerability is ‘eye candy’ for threat actors as it offers an approach to obtain privileged access over MS Windows devices at scale covering over 180,000 enterprises,” Jim Routh, chief trust officer at Saviynt, told SC Media in an email.
Related reading:
For privilege escalation, an attacker would need to create a time-of-check to time-of-use (TOCTOU) race condition, allowing them to redirect the deletion of Un_A.exe to instead delete the protected file Config.Msi. Using an oplock to pause the deletion operation after the initial check for Un_A.exe, the attacker creates a symlink from Un_A.exe to Config.Msi.Once the oplock is released, Config.Msi is deleted and can then be replaced with the attacker’s own content. The content can then be executed with system privileges by triggering Windows Installer.“Threat actors prefer to use privileged access capabilities, given the flexibility for using administrative access to change system configurations and monetize the data harvested with a low probability of detection,” Routh noted.
Exposure management, Threat Management, Vulnerability Management, Privileged access management, Patch/Configuration Management, Identity

JumpCloud agent vulnerability risks Windows privilege escalation


Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



