CVE: CVE-2025-34352
CVSS: 8.5 (High)
Affected: JumpCloud Remote Assist for Windows < 0.317.0
Patch Available: Yes
Published: December 2, 2025
TL;DR
- High-severity privilege escalation vulnerability in JumpCloud Remote Assist for Windows
- Any local user can escalate to SYSTEM privileges or crash machines with BSOD
- Over 180,000 organizations use JumpCloud globally
- Patch to version 0.317.0 immediately
What This Means for Seattle/Tacoma SMBs
If you use JumpCloud for device management:
JumpCloud is popular with remote-first companies and organizations that need cloud-based directory services without on-premise Active Directory. If you're using JumpCloud to manage Windows endpoints, check your Remote Assist version today.
The risk is internal, not external:
This requires local access. An attacker needs to be logged into a Windows machine where JumpCloud is installed. That could be:
- A disgruntled employee
- A compromised user account (phishing, malware)
- A contractor or temp with basic user access
Once exploited, they gain SYSTEM-level access to that machine. Full control. Install malware, exfiltrate data, move laterally through your network.
Technical Details
The vulnerability exists in the JumpCloud Remote Assist uninstaller. During agent uninstall or update operations, the uninstaller runs with NT AUTHORITY\SYSTEM privileges (the highest level on Windows). The problem: it performs file operations in the user's %TEMP% directory, which any user can write to.
Attack Path 1: Denial of Service (BSOD)
An attacker creates symbolic links in the %TEMP% subdirectory. When the uninstaller tries to write a file called Un_A.exe, the symlink redirects that write to cng.sys, a critical Windows driver. Corrupting cng.sys causes an infinite Blue Screen of Death loop. The machine becomes unusable without recovery intervention.
Attack Path 2: Privilege Escalation
Using a race condition (TOCTOU), an attacker redirects a file deletion operation to remove the protected Config.Msi folder. They then replace it with malicious content and trigger Windows Installer, which executes their payload with SYSTEM privileges. Game over.
The technical requirements are not high. XM Cyber, who discovered the flaw, demonstrated working exploits. The attack is "immediately exploitable" according to researchers.
Action Checklist
Immediate (24-48 hours)
- [ ] Verify current JumpCloud Remote Assist version on all Windows endpoints
- [ ] Update to version 0.317.0 or later
- [ ] Review JumpCloud admin console for pending agent updates
Check Your Version
On affected Windows machines, check the installed version:
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*JumpCloud*" } | Select-Object Name, Version
Or check in Apps & Features for JumpCloud Remote Assist version.
This Week
- [ ] Audit which users have local access to JumpCloud-managed endpoints
- [ ] Review endpoint detection logs for suspicious file activity in %TEMP% directories
- [ ] Confirm your MDR/EDR solution monitors for privilege escalation attempts
If You're Not on JumpCloud
This is still a learning opportunity. The root cause here, a privileged process operating on user-controlled directories, is a common vulnerability pattern. Ask your IT provider:
- What other privileged tools run operations in user-writable directories?
- Are our endpoint management agents up to date?
- Do we have visibility into local privilege escalation attempts?
Affected Versions
| Component | Vulnerable | Fixed |
|---|---|---|
| JumpCloud Remote Assist for Windows | < 0.317.0 | 0.317.0+ |
The JumpCloud Agent itself triggers this during updates or uninstalls, so any system running the agent with Remote Assist enabled is affected.
References
RainCity Techworks