A high-severity vulnerability in JumpCloud Remote Assist for Windows could allow local attackers to escalate privileges and potentially take full control of affected endpoints. The flaw stems from unsafe handling of user-writable directories during uninstall and update operations, enabling attackers to exploit privileged processes. JumpCloud has released a fix, and organizations are urged to update immediately.

JumpCloud is widely used by organizations to manage identities, devices, and access across distributed environments. Its Remote Assist component enables administrators to provide remote support to Windows endpoints. Because the JumpCloud Agent runs with elevated privileges, flaws in its update or uninstall logic can have serious security implications, particularly in enterprise environments where endpoints are shared or loosely monitored.

Researchers at XM Cyber identified a vulnerability in JumpCloud Remote Assist for Windows that can be exploited during uninstall or update operations. Tracked as CVE-2025-34352 and assigned a CVSS score of 8.5, the issue allows an unprivileged local attacker to influence privileged file operations performed by the JumpCloud Agent.

The flaw arises when the Remote Assist uninstaller executes high-privilege actions on files located in a predictable subdirectory of the user-controlled %TEMP% path. Because the application does not validate the directory’s trust level or reset its access controls, attackers can manipulate it before the uninstaller runs.

During removal or update, the JumpCloud Agent dynamically constructs the path to the Remote Assist uninstaller using environment variables. It then performs create, write, execute, and delete operations in that location using NT AUTHORITY\SYSTEM privileges.

An attacker can pre-create the expected directory and use symbolic links or mount points to redirect these privileged operations. XM Cyber demonstrated two primary exploitation paths:

In both cases, the root issue is privileged code operating on predictable filenames in an untrusted, user-writable location.

Successful exploitation requires local access, but the consequences are severe. An attacker could gain SYSTEM-level privileges, disrupt system stability, or fully compromise the endpoint. In managed enterprise environments, this could also be used as a stepping stone for lateral movement or broader compromise.

Local privilege escalation flaws are often underestimated, yet they are frequently chained with other weaknesses to achieve full system takeover. This vulnerability highlights a recurring class of Windows security issues involving unsafe use of %TEMP% directories and insufficient validation of filesystem paths in privileged processes.

XM Cyber emphasized that vendors must ensure privileged components never perform sensitive operations on user-writable directories without explicitly enforcing secure access controls.

“Privileged processes should not trust paths like %TEMP% unless ACLs are explicitly reset and validated,” the researchers noted, underscoring a best practice that applies far beyond this single product.