JumpCloud Remote Assist < 0.317.0 Arbitrary File Write/Delete via Insecure...

8.5 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.

AI Analysis

Arbitrary file write/delete vulnerability via insecure temp directory in JumpCloud Remote Assist for Windows versions prior to 0.317.0

Basic Information

ID CVE-2025-34352

Source VulnCheck

Published Dec 2, 2025 at 18:39

Modified Dec 2, 2025 at 19:13

Affected Product

Vendor JumpCloud Inc.

Product Remote Assist

Affected Versions JumpCloud Inc. Remote Assist 0

CWE Classification

CWE-378 CWE-59

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor JumpCloud Inc.

Product Remote Assist

Version < 0.317.0

References

{
    "lastseen": "",
    "description": "JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle.",
    "published": "2025-12-02T18:39:33.277Z",
    "modified": "2025-12-02T19:13:06.754Z",
    "type": "cve",
    "title": "JumpCloud Remote Assist < 0.317.0 Arbitrary File Write/Delete via Insecure Temp Directory",
    "source": "VulnCheck",
    "references": "https://jumpcloud.com/platform/remote-assistance\nhttps://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes\nhttps://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory",
    "id": "CVE-2025-34352",
    "bulletinFamily": "",
    "cwe": [
        "CWE-378",
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "JumpCloud Inc. Remote Assist 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Remote Assist",
    "version": "0",
    "vendor": "JumpCloud Inc.",
    "ai_description": "Arbitrary file write/delete vulnerability via insecure temp directory in JumpCloud Remote Assist for Windows versions prior to 0.317.0",
    "ai_severity": "High",
    "ai_vendor": "JumpCloud Inc.",
    "ai_product": "Remote Assist",
    "ai_version": "< 0.317.0",
    "ai_score": 8.5
}

JumpCloud Remote Assist < 0.317.0 Arbitrary File Write/Delete via Insecure Temp Directory_CVE-2025-34352