A critical security vulnerability affecting the JumpCloud Remote Assist for Windows agent has been identified, exposing managed endpoints to local privilege escalation and denial-of-service (DoS) attacks.
The flaw, tracked as CVE-2025-34352, affects all versions of the agent released before 0.317.0 and stems from unsafe file operations performed during uninstallation.
The issue, discovered by cybersecurity researchers at XM Cyber, allows any low-privileged local user to manipulate file write and delete operations performed by the agent, which runs with NT AUTHORITY\SYSTEM privileges.
By abusing predictable file names and user-writable directories, an attacker can gain full control of a Windows system or render it unusable.
Why the Risk is Significant
The vulnerability was uncovered during analysis of the JumpCloud agent’s uninstallation workflow.
When the primary agent is removed, it automatically triggers the removal of the Remote Assist component. This secondary uninstaller performs multiple file operations inside the Windows %TEMP% directory, a location fully controlled by standard users.
Because the uninstaller deletes, writes and executes files from this directory while running as SYSTEM, it becomes vulnerable to link-following attacks. Symbolic links and mount points can redirect these privileged operations toward protected system locations.
JumpCloud is a cloud-based identity and device management platform used by more than 180,000 organizations across 160 countries. Its Windows agent is deployed broadly and operates with the highest system privileges to enforce policies and manage devices.
Successful exploitation of this flaw gives an attacker persistent SYSTEM-level access to the endpoint.
In one scenario observed by XM Cyber, arbitrary file writes corrupted critical Windows drivers, resulting in repeated blue screen crashes. In another, attackers could delete protected system directories and leverage standard Windows Installer behavior to obtain a SYSTEM shell.
Disclosure and Mitigation
The issue was responsibly disclosed to JumpCloud, which validated the findings and released a patched version of the Remote Assist agent. Organizations running affected versions are advised to update immediately.
A JumpCloud spokesperso told Infosecurity, “JumpCloud was aware of a security vulnerability (CVE-2025-34352) discovered and patched in an older version of JumpCloud’s Remote Assist Agent (RAA). Ensuring our customers' environments are secure is our highest priority, so JumpCloud automatically upgraded all customers' RAA versions to 0.319.0 in late October. "
Following the upgrade, JumpCloud performed a comprehensive audit and confirmed all customer environments had the patch applied.
The XM Cyber research also highlights a broader security lesson for enterprises: Privileged agents should avoid interacting with user-writable paths unless access controls are explicitly hardened.
Even long-known weaknesses in installer logic can provide a direct route to full system compromise when embedded in widely deployed management software.