Skip to main content

bosh-windows-stemcell-builder CVE-2026-47830

| EUVDEUVD-2026-42516 HIGH
2026-07-09 vmware GHSA-v8gm-j274-p577
8.5
CVSS 4.0 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local low-privilege authenticated user (AV:L, PR:L) overwrites a SYSTEM-run binary with no user interaction, gaining full host control (C/I/A:H); scope unchanged as impact stays on the same host.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 09, 2026 - 08:01 EUVD
Analysis Generated
Jul 09, 2026 - 07:20 vuln.today
CVE Published
Jul 09, 2026 - 06:25 cve.org
HIGH 8.5

DescriptionCVE.org

Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

AnalysisAI

Local privilege escalation in BOSH-Ecosystem bosh-windows-stemcell-builder (versions prior to v2019.98) lets a low-privilege authenticated Windows user overwrite the BOSH agent executables at C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe, which then run as NT AUTHORITY\SYSTEM on the next service restart or reboot, yielding full host control. The weakness stems from overly permissive filesystem ACLs applied by BOSH.Utils.psm1 when the stemcell is built. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege authenticated session on host
Delivery
Overwrite C:\bosh\bosh-agent.exe with malicious binary
Exploit
Trigger or await service restart/reboot
Execution
Payload executes as NT AUTHORITY\SYSTEM
Impact
Full host control

Vulnerability AssessmentAI

Exploitation Requires an existing low-privilege but authenticated interactive/local session on a Windows host provisioned from a bosh-windows-stemcell-builder stemcell older than v2019.98 (PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H (score 8.5, High) is internally consistent with the description: exploitation is local, low-complexity, requires only existing low-privilege authenticated access, no user interaction, and produces total confidentiality, integrity and availability loss on the vulnerable host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any low-privilege authenticated account on a BOSH-managed Windows cell replaces C:\bosh\bosh-agent.exe (or service_wrapper.exe) with a malicious binary. When the BOSH agent service restarts or the host reboots, the planted executable runs as NT AUTHORITY\SYSTEM, giving the attacker complete control of the host. …
Remediation Vendor-released patch: upgrade bosh-windows-stemcell-builder to v2019.98 or later and rebuild/redeploy Windows stemcells so newly provisioned hosts receive correct C:\bosh permissions; details at https://www.cloudfoundry.org/blog/cve-2026-47830-incorrect-permission-assignment-allows-local-privilege-escalation-to-system-via-executable-overwrite/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit BOSH deployments and identify all systems running stemcell versions prior to v2019.98. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy