CVE-2026-41858: BOSH Windows Utilities Info Disclosure

CVE-2026-41858 Overview

CVE-2026-41858 is a weak randomness vulnerability [CWE-338] in the Get-RandomPassword function within the BOSH-Ecosystem windows-utilities-release. The randomize_password job locks the local Administrator account behind a generated password as a hardening control. The password is derived from a clock-seeded pseudo-random number generator (PRNG), which is predictable. A network attacker who can estimate the VM boot time can reconstruct a small candidate password list and recover the Administrator password. This defeats the hardening control that the job was designed to provide.

Critical Impact

A network attacker can brute-force the local Administrator password on Windows VMs deployed by affected BOSH releases, bypassing the intended account hardening.

Affected Products

• BOSH-Ecosystem windows-utilities-release — all versions prior to v0.23.0
• Windows VMs deployed via BOSH using the randomize_password job
• Cloud Foundry deployments relying on windows-utilities-release for Administrator hardening

Discovery Timeline

• 2026-06-04 - CVE-2026-41858 published to NVD
• 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-41858

Vulnerability Analysis

The randomize_password job in windows-utilities-release generates a password for the local Administrator account using Get-RandomPassword. The implementation relies on a PRNG that is seeded from the system clock at VM provisioning time. Clock-seeded PRNGs produce deterministic output sequences for any given seed value. An attacker who can estimate when the VM booted can enumerate the narrow range of plausible seed values and reproduce the corresponding password candidates.

Root Cause

The root cause is the use of a non-cryptographic PRNG seeded from predictable clock data to derive a security-sensitive credential. Secure password generation requires a cryptographically secure pseudo-random number generator (CSPRNG) such as System.Security.Cryptography.RandomNumberGenerator in .NET or PowerShell's [System.Security.Cryptography.RNGCryptoServiceProvider]. The affected code path uses a weaker primitive, reducing the effective entropy of the generated password to the entropy of the boot-time seed.

Attack Vector

The attack is performed over the network and requires no authentication or user interaction. The attacker first estimates the boot time of the target Windows VM through observable signals such as TLS certificate timestamps, SMB negotiation responses, or VM uptime banners. The attacker then enumerates seed values across a small time window, regenerates the corresponding password candidate list, and attempts authentication against exposed Windows services such as RDP, WinRM, or SMB. The candidate set is small enough to brute-force within practical time bounds.

No verified exploit code is publicly available. See the Cloud Foundry advisory for additional technical context.

Detection Methods for CVE-2026-41858

Indicators of Compromise

• Repeated failed authentication events for the local Administrator account on Windows VMs deployed via BOSH
• Successful Administrator logons originating from unexpected network sources shortly after VM provisioning
• Anomalous RDP, WinRM, or SMB authentication patterns targeting newly booted Windows VMs

Detection Strategies

• Hunt for Windows Security Event ID 4625 (failed logon) bursts targeting the Administrator account on BOSH-deployed VMs
• Correlate VM boot events with subsequent authentication attempts within a short time window
• Identify deployments still running windows-utilities-release versions prior to v0.23.0 through BOSH director queries

Monitoring Recommendations

• Forward Windows authentication logs to a centralized SIEM and alert on brute-force patterns against local Administrator accounts
• Monitor BOSH deployment manifests for the randomize_password job and track release version inventory
• Restrict network exposure of RDP, WinRM, and SMB on BOSH-managed Windows VMs and alert on unexpected ingress

How to Mitigate CVE-2026-41858

Immediate Actions Required

• Upgrade windows-utilities-release to v0.23.0 or later across all BOSH deployments
• Rotate the local Administrator password on every Windows VM previously provisioned with an affected release
• Restrict network access to Administrator-authenticated services (RDP, WinRM, SMB) to trusted management subnets only

Patch Information

The issue is fixed in windows-utilities-releasev0.23.0. The patched release replaces the clock-seeded PRNG used in Get-RandomPassword with a cryptographically secure random source. Refer to the Cloud Foundry advisory for upgrade guidance.

Workarounds

• Manually set a strong, cryptographically random Administrator password on affected VMs in place of relying on randomize_password
• Disable remote authentication paths for the local Administrator account where operationally feasible
• Place affected Windows VMs behind network segmentation that blocks untrusted access to authentication services until patched