CVE-2025-34352 is a vulnerability classified under CWE-378 (Creation of Temporary File With Insecure Permissions) and CWE-59 (Link Following). It affects JumpCloud Remote Assist for Windows prior to version 0.317.0. The root cause is the insecure handling of temporary files by the uninstaller process, which runs with SYSTEM privileges. Specifically, the uninstaller creates and manipulates temporary files in the %TEMP% directory without properly securing permissions. An attacker with low local privileges can pre-create a subdirectory within %TEMP% that is writable by the user and use symbolic links or mount points to redirect file operations to arbitrary locations on the system. Because the uninstaller runs as SYSTEM, this redirection can lead to arbitrary file writes or deletions in protected system areas. The consequences include denial of service by corrupting critical files or local privilege escalation by overwriting system files or executables, effectively granting SYSTEM-level access. Exploitation does not require user interaction but does require local access with low privileges. The vulnerability is specific to Windows environments where JumpCloud Remote Assist is installed and managed through the JumpCloud Agent lifecycle. The vendor has addressed the issue in version 0.317.0. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects that the attack requires local access with low privileges, no user interaction, and results in high confidentiality, integrity, and availability impacts.

For European organizations using JumpCloud Remote Assist on Windows systems, this vulnerability poses a significant risk. An attacker with low-level local access—such as a compromised user account or insider threat—can escalate privileges to SYSTEM, gaining full control over affected machines. This can lead to unauthorized access to sensitive data, disruption of critical services through denial of service, and potential lateral movement within the network. The ability to write or delete arbitrary files in protected system locations undermines system integrity and availability, potentially causing operational downtime. Given the high CVSS score and the SYSTEM-level impact, exploitation could severely affect confidentiality, integrity, and availability of IT assets. Organizations with remote support workflows relying on JumpCloud Remote Assist are particularly at risk, especially if endpoint security controls are insufficient to prevent local privilege escalation attempts. The lack of required user interaction facilitates stealthy exploitation once local access is obtained.

European organizations should immediately verify the version of JumpCloud Remote Assist deployed on their Windows endpoints and upgrade to version 0.317.0 or later where the vulnerability is patched. In addition to patching, organizations should enforce strict permissions on the %TEMP% directory and its subdirectories to prevent unauthorized creation or modification of symbolic links or mount points by low-privileged users. Endpoint detection and response (EDR) solutions should be configured to monitor for suspicious file system activities involving symbolic links or unusual file operations within %TEMP%. Restricting local user permissions to prevent unnecessary write access to system directories and employing application whitelisting can reduce exploitation risk. Regular auditing of installed software and uninstaller behavior is recommended. Network segmentation and least privilege principles should be applied to limit the impact of any local compromise. Finally, user training to recognize and report suspicious local activities can aid early detection.