HIGH 7.5

CVE-2026-41858: BOSH Windows Administrator Password Generation Vulnerability

BOSH-Ecosystem's windows-utilities-release contains a critical password generation flaw that undermines a key security hardening measure. The tool is designed to lock down Windows VMs by setting an Administrator account password that should be cryptographically random and unguessable. However, the password generation relies on a predictable random number generator seeded only with the system clock. An attacker who can estimate when a VM was booted can narrow down the possible passwords to a small, brute-forceable set, potentially recovering the Administrator credential and gaining full control of the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-338
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control. Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from CWE-338 (Weak Randomness / Insecure Cryptographic Primitive) in the Get-RandomPassword function within the randomize_password job. The password derivation process uses a clock-seeded pseudo-random number generator (PRNG) rather than a cryptographically secure random source. This allows an attacker with network visibility and the ability to estimate VM boot time to reconstruct candidate passwords. The seed space is constrained by the precision of the clock and boot time estimate, reducing the password search space from cryptographically infeasible to computationally tractable. Windows-utilities-release versions prior to v0.23.0 are affected; the vulnerability is resolved in v0.23.0 and later.

Business impact

For organizations deploying BOSH-managed Windows infrastructure, this vulnerability creates a direct path to Administrator-level compromise. An attacker gaining control of the local Administrator account can pivot to full system control, lateral movement, data exfiltration, and malware deployment. In cloud environments, this may enable escape to the underlying hypervisor or other VMs. The impact is particularly acute because the randomize_password job exists explicitly as a hardening control—its compromise negates a foundational security assumption.

Affected systems

All versions of BOSH-Ecosystem windows-utilities-release prior to v0.23.0 are vulnerable. Systems running v0.23.0 or later are patched. The vulnerability affects any deployment that relies on the randomize_password job to set the local Administrator password during Windows VM provisioning, typically in Pivotal Cloud Foundry (PCF), OpenStack, AWS, Azure, or other cloud environments where BOSH is used for Windows workload orchestration.

Exploitability

Exploitability requires network-level access to observe VM creation timing and sufficient information to estimate the boot timestamp (often publicly visible in cloud APIs or infrastructure logs). The attacker then generates a candidate password list and attempts authentication. The CVSS 3.1 score of 7.5 (HIGH) reflects network-attackable scope, no authentication requirement, and high confidentiality impact. Active exploitation is practical if boot time can be estimated to within minutes or seconds, which is feasible in many cloud environments. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Upgrade windows-utilities-release to v0.23.0 or later. This patch addresses the weak randomness issue by replacing the clock-seeded PRNG with a cryptographically secure random source. For immediate mitigation, apply access controls restricting network access to newly provisioned VMs during the boot window and consider using out-of-band authentication or secrets management systems (e.g., HashiCorp Vault, Azure Key Vault) to inject or retrieve the Administrator password rather than relying on client-side generation.

Patch guidance

Verify your current windows-utilities-release version in your BOSH environment. Patch to v0.23.0 or later and validate through a test environment before production deployment. Review your BOSH release manifests and deployment templates to ensure the randomize_password job is enabled; if disabled, you may be manually managing Administrator passwords, which should also be reviewed for cryptographic strength. After patching, re-deploy affected Windows VMs to apply the corrected password generation logic. Consult the official BOSH release notes for detailed upgrade instructions and any breaking changes.

Detection guidance

Monitor BOSH deployment logs and Windows Event Viewer for unusual authentication attempts targeting the local Administrator account, particularly around the timestamp of VM provisioning. Set up alerting on failed Administrator login attempts across newly deployed instances. If you maintain baseline telemetry on your BOSH infrastructure, look for VMs provisioned before the patch window and cross-reference their creation times with any successful unexpected logins. Network-based detection is limited; focus on log analysis and credential access patterns.

Why prioritize this

This vulnerability merits immediate prioritization because it directly defeats a hardening control, affects foundational infrastructure security (VM provisioning), and requires no user interaction or authentication. HIGH severity, practical exploitability in cloud environments, and the fact that it undermines a security best practice make this a critical remediation target. Organizations with significant Windows workloads on BOSH should prioritize patching within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a network-exploitable vulnerability with low attack complexity, no privileges required, and high confidentiality impact (full Administrator account compromise). Integrity and availability are not directly impacted by the vulnerability itself, but once an attacker gains Administrator access, both can be compromised. The score is appropriate and reflects the severity of an unguessable password mechanism becoming guessable.

Frequently asked questions

How would an attacker estimate VM boot time?

In cloud environments, boot time can be inferred from infrastructure APIs that expose instance creation timestamps, from external network scanning to observe service availability, or from timing side-channels in provisioning workflows. An attacker with access to deployment logs or monitoring systems would have even higher precision. The attack assumes the attacker has some visibility into or influence over timing information.

Does this affect on-premises BOSH deployments?

Yes. Any deployment using windows-utilities-release prior to v0.23.0 is vulnerable regardless of whether BOSH runs on-premises, in a private cloud, or in a public cloud. The vulnerability depends on the BOSH component version, not the infrastructure type.

Can I work around this without upgrading immediately?

Temporary mitigations include: restricting network access to newly provisioned VMs during boot, disabling the randomize_password job and using external secrets management or manual password injection, or implementing additional per-VM authentication controls. However, these are workarounds; upgrading to v0.23.0 or later is the proper fix.

Are there any other security improvements in v0.23.0?

The release notes for windows-utilities-release v0.23.0 are the authoritative source. Review them to understand all changes and verify there are no breaking changes relevant to your environment before deploying.

This analysis is provided for informational purposes to support vulnerability management and risk prioritization. It is not a substitute for official vendor advisories, security bulletins, or professional security assessment. Verify all patch versions and affected product details against official BOSH and windows-utilities-release documentation. Test all patches in non-production environments before deploying to production systems. The absence of active exploitation or CISA KEV status does not indicate lower risk; prioritize based on your environment's exposure and attack surface. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).