A critical vulnerability in the JumpCloud Remote Assist for Windows agent (CVE-2025-34352) allows a standard user on a company-managed device to gain full, persistent SYSTEM-level control. The flaw, discovered by XM Cyber, arises from the agent's uninstallation process, which performs privileged file operations in a user-controlled temporary folder. This enables local users to exploit the uninstall routine to overwrite or delete sensitive system files, resulting in either local privilege escalation or denial of service. Over 180,000 organizations using JumpCloud are potentially at risk until the issue is remediated.
Separately, Microsoft’s Windows Admin Center (WAC) is affected by a local privilege escalation vulnerability (CVE-2025-64669) due to insecure directory permissions on C:\ProgramData\WindowsAdminCenter. Standard users can write to this directory, which is also accessed by services running with elevated privileges, allowing attackers to exploit extension uninstall mechanisms or DLL hijacking to obtain SYSTEM-level access. Both vulnerabilities highlight the risks posed by improper privilege separation and insecure file system permissions in widely deployed Windows management tools.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Public disclosure detailed CVE-2025-64669, a local privilege escalation vulnerability in Microsoft Windows Admin Center caused by writable privileged directories under C:\ProgramData\WindowsAdminCenter. Reporting also noted Cymulate had added validation coverage to help organizations test exposure.
Public reporting described CVE-2025-34352 as a high-severity vulnerability affecting the JumpCloud Remote Assist for Windows agent used by more than 180,000 organizations. The bug was said to be immediately exploitable for persistent privileged access, prompting organizations to update immediately.
After security researcher Hillel Pinto of XM Cyber discovered CVE-2025-34352 in JumpCloud Remote Assist for Windows, JumpCloud released a fix in version 0.317.0 or later through a responsible disclosure process. The flaw could let a regular user escalate privileges to SYSTEM or cause denial of service via the agent's uninstaller behavior in user-controlled temporary folders.
Microsoft confirmed CVE-2025-64669, rated it Important, and planned to release a fix in the December 10 Patch Tuesday update for affected Windows Admin Center versions. The issue affects versions up to 2.4.2.1 and environments running WAC 2411 and earlier.
Cymulate disclosed CVE-2025-64669 to Microsoft on 2025-08-05 after identifying local privilege escalation paths in Windows Admin Center involving insecure directory permissions, extension uninstall abuse, and updater DLL hijacking. Microsoft later awarded a bug bounty for the finding.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.