CVE-2025-34352
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| JumpCloud Inc. | Remote Assist | 0 < 0.317.0 | affected |
Weaknesses
- CWE-378: CWE-378 Creation of Temporary File With Insecure Permissions
- CWE-59: CWE-59 Improper Link Resolution Before File Access ('Link Following')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://jumpcloud.com/platform/remote-assistance
- https://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes
- https://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.