CVE-2025-34352 is a vulnerability classified under CWE-378 (Creation of Temporary File With Insecure Permissions) and CWE-59 (Link Following). The JumpCloud Remote Assist uninstaller, invoked by the JumpCloud Windows Agent running as NT AUTHORITY\SYSTEM during uninstall or update, performs privileged file operations in a user-writable %TEMP% subdirectory. The uninstaller creates, writes, executes, and deletes files in this predictable temporary directory without verifying if the directory is trusted or resetting its Access Control Lists (ACLs) when it already exists. This insecure handling allows a local attacker with low privileges to pre-create the temporary directory with weak permissions and leverage symbolic link or mount-point redirection techniques. By doing so, the attacker can coerce the uninstaller to write arbitrary files to protected system locations, potentially overwriting critical system files and causing denial of service. Additionally, the attacker can race the DeleteFileW() operation to delete arbitrary files or folders, enabling local privilege escalation to SYSTEM. The vulnerability affects all Windows systems with JumpCloud Remote Assist installed and managed via the Agent lifecycle prior to version 0.317.0. The CVSS v4.0 score is 8.5 (high severity), reflecting the local attack vector with low complexity, no authentication required, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of publication.

For European organizations using JumpCloud Remote Assist on Windows, this vulnerability poses significant risks. An attacker with local access—such as an insider, contractor, or someone who gains limited user access—can escalate privileges to SYSTEM, gaining full control over the affected machine. This can lead to unauthorized access to sensitive data, disruption of critical services through denial of service by overwriting system files, and potential lateral movement within the network. Organizations in sectors with strict regulatory requirements (e.g., finance, healthcare, government) could face compliance violations and reputational damage if exploited. The vulnerability undermines the integrity and availability of systems managed via JumpCloud Remote Assist, potentially impacting endpoint security management and remote support operations. Since the attack requires local access, the threat is heightened in environments with shared workstations, remote desktop access, or insufficient endpoint access controls.

European organizations should immediately upgrade JumpCloud Remote Assist to version 0.317.0 or later, where this vulnerability is fixed. Until the update is applied, restrict local user access on systems running JumpCloud Remote Assist to trusted personnel only. Implement strict endpoint access controls and monitoring to detect unusual file system activities, especially in user-writable temporary directories. Employ application whitelisting and endpoint detection and response (EDR) solutions to identify and block attempts to create symbolic links or mount points in %TEMP% directories. Regularly audit permissions on temporary directories to ensure they are not writable by low-privileged users. Additionally, consider isolating critical JumpCloud-managed endpoints from untrusted networks and users to reduce the risk of local exploitation. Finally, educate IT and security teams about this vulnerability and monitor JumpCloud advisories for any emerging exploit reports.