Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local low-privilege authenticated user (AV:L, PR:L) overwrites a SYSTEM-run binary with no user interaction, gaining full host control (C/I/A:H); scope unchanged as impact stays on the same host.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.
AnalysisAI
Local privilege escalation in BOSH-Ecosystem bosh-windows-stemcell-builder (versions prior to v2019.98) lets a low-privilege authenticated Windows user overwrite the BOSH agent executables at C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe, which then run as NT AUTHORITY\SYSTEM on the next service restart or reboot, yielding full host control. The weakness stems from overly permissive filesystem ACLs applied by BOSH.Utils.psm1 when the stemcell is built. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an existing low-privilege but authenticated interactive/local session on a Windows host provisioned from a bosh-windows-stemcell-builder stemcell older than v2019.98 (PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H (score 8.5, High) is internally consistent with the description: exploitation is local, low-complexity, requires only existing low-privilege authenticated access, no user interaction, and produces total confidentiality, integrity and availability loss on the vulnerable host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any low-privilege authenticated account on a BOSH-managed Windows cell replaces C:\bosh\bosh-agent.exe (or service_wrapper.exe) with a malicious binary. When the BOSH agent service restarts or the host reboots, the planted executable runs as NT AUTHORITY\SYSTEM, giving the attacker complete control of the host. … |
| Remediation | Vendor-released patch: upgrade bosh-windows-stemcell-builder to v2019.98 or later and rebuild/redeploy Windows stemcells so newly provisioned hosts receive correct C:\bosh permissions; details at https://www.cloudfoundry.org/blog/cve-2026-47830-incorrect-permission-assignment-allows-local-privilege-escalation-to-system-via-executable-overwrite/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit BOSH deployments and identify all systems running stemcell versions prior to v2019.98. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42516
GHSA-v8gm-j274-p577