Exposure management, Threat Management, Vulnerability Management, Privileged access management, Patch/Configuration Management, Identity

JumpCloud agent vulnerability risks Windows privilege escalation

JumpCloud patched a high-severity vulnerability in its JumpCloud Remote Assist for Windows agent that could enable local privilege escalation or denial of service, XM Cyber disclosed Monday.

The flaw, tracked as CVE-2025-34352, takes advantage of the fact that JumpCloud’s Windows uninstaller uses system privileges to write and delete files in the %TEMP% folder, the contents of which can be controlled by a low-privileged user.

A malicious low-privileged user could use mount-points and symbolic links (symlinks) to manipulate where files are deleted or written to by the privileged uninstaller.

“This vulnerability is ‘eye candy’ for threat actors as it offers an approach to obtain privileged access over MS Windows devices at scale covering over 180,000 enterprises,” Jim Routh, chief trust officer at Saviynt, told SC Media in an email.


Related reading:


Uninstaller behavior opens door to exploitation

The JumpCloud Remote Assist uninstaller writes and deletes certain predictably named files, such as Un_A.exe, under the location %TEMP%/~nsuA.tmp during the uninstallation process. If the necessary files are not already present, the privileged process creates them, and these files are ultimately deleted during final cleanup.

To trigger a DoS condition, a low-privileged attacker could create a mount point from %TEMP%/~nsuA.tmp to the \RPCControl object directory and then establish a pseudo-symlink from ~nsuA.tmp\Un_A.exe to the critical Cryptographic Next Generation driver at C:\\Windows\System32\cng.sys, XM Cyber explained.

When attempting to create Un_A.exe as part of the uninstallation operation, the uninstaller would write it to cng.sys, corrupting the critical file and leading to a blue screen of death (BSOD).



For privilege escalation, an attacker would need to create a time-of-check to time-of-use (TOCTOU) race condition, allowing them to redirect the deletion of Un_A.exe to instead delete the protected file Config.Msi. Using an oplock to pause the deletion operation after the initial check for Un_A.exe, the attacker creates a symlink from Un_A.exe to Config.Msi.

Once the oplock is released, Config.Msi is deleted and can then be replaced with the attacker’s own content. The content can then be executed with system privileges by triggering Windows Installer.

“Threat actors prefer to use privileged access capabilities, given the flexibility for using administrative access to change system configurations and monetize the data harvested with a low probability of detection,” Routh noted.

Patch released as experts urge stronger access controls

XM Cyber disclosed CVE-2025-34352 to JumpCloud under responsible disclosure procedures, and the flaw was promptly patched in JumpCloud Remote Assist for Windows version 0.317.0.

XM Cyber recommended organizations update to the patched version and also ensure that any privileged process do not make arbitrary reads or writes to user-writable directories such as %TEMP%.

Routh further recommended enterprises use advanced privileged access management solutions such as those that continuously validate activity against normal patterns, rather than relying solely on traditional measures like password vaulting.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds