Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
8DescriptionCVE.org
Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control.
Affected versions:
- windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later
AnalysisAI
Predictable password generation in Cloud Foundry's BOSH windows-utilities-release (versions prior to v0.23.0) allows remote attackers to recover the local Administrator password set by the randomize_password job. The Get-RandomPassword routine seeds its PRNG from system clock state, so an attacker who can estimate VM boot time can reduce the search space to a small candidate list and brute-force the credential, defeating the hardening control that was supposed to lock down the account. No public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:H) reflects the realistic recoverability of high-value Administrator credentials over the network.
Technical ContextAI
The vulnerability lives in the windows-utilities-release BOSH job randomize_password, distributed by the Cloud Foundry Foundation for hardening Windows stemcells in BOSH-managed deployments. The job's Get-RandomPassword PowerShell helper relies on a pseudo-random number generator seeded from a predictable, clock-derived value (a classic CWE-338, Use of Cryptographically Weak PRNG, manifestation - likely the default System.Random() rather than System.Security.Cryptography.RNGCryptoServiceProvider/RandomNumberGenerator). Because the same seed reproduces the same output sequence, anyone who can narrow the seed value - here, by estimating the moment of VM boot when the job runs - can enumerate the small set of possible passwords the function could have produced. The CPE cpe:2.3:a:cloud_foundry_foundation:windows-utilities-release confirms the affected component is the upstream BOSH release rather than Windows itself.
RemediationAI
Vendor-released patch: upgrade windows-utilities-release to v0.23.0 or later and redeploy any BOSH manifests that include the randomize_password job so the Administrator password is regenerated using the corrected RNG; see https://www.cloudfoundry.org/blog/cve-2026-41858-brute-forceable-windows-admin-creds/ for the official guidance. Simply upgrading the release without re-running the job leaves the previously generated weak password in place, so operators must trigger a password reset on already-deployed VMs (re-running randomize_password under the patched release, or rotating the local Administrator password out-of-band via stemcell tooling). As compensating controls until upgrade, restrict network reachability to RDP (TCP/3389) and WinRM (TCP/5985, 5986) on Windows VMs to BOSH/jumpbox subnets only, disable interactive logon for the local Administrator account where Group Policy permits (trade-off: breaks break-glass access), and tighten egress on boot-time telemetry so attackers cannot precisely estimate VM start timestamps - note that timing inference is also possible from public load balancers and monitoring dashboards, so this control is partial.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34195
GHSA-f9p6-prpf-3757