Skip to main content

windows-utilities-release EUVDEUVD-2026-34195

| CVE-2026-41858 HIGH
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-06-04 vmware GHSA-f9p6-prpf-3757
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Patch available
Jun 04, 2026 - 04:15 EUVD
Analysis Updated
Jun 04, 2026 - 03:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 03:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 03:22 vuln.today
cvss_changed
Severity Changed
Jun 04, 2026 - 03:22 NVD
MEDIUM HIGH
CVSS changed
Jun 04, 2026 - 03:22 NVD
6.5 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Jun 04, 2026 - 02:43 vuln.today
CVE Published
Jun 04, 2026 - 02:10 nvd
MEDIUM 6.5

DescriptionCVE.org

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control.

Affected versions:

  • windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later

AnalysisAI

Predictable password generation in Cloud Foundry's BOSH windows-utilities-release (versions prior to v0.23.0) allows remote attackers to recover the local Administrator password set by the randomize_password job. The Get-RandomPassword routine seeds its PRNG from system clock state, so an attacker who can estimate VM boot time can reduce the search space to a small candidate list and brute-force the credential, defeating the hardening control that was supposed to lock down the account. No public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:H) reflects the realistic recoverability of high-value Administrator credentials over the network.

Technical ContextAI

The vulnerability lives in the windows-utilities-release BOSH job randomize_password, distributed by the Cloud Foundry Foundation for hardening Windows stemcells in BOSH-managed deployments. The job's Get-RandomPassword PowerShell helper relies on a pseudo-random number generator seeded from a predictable, clock-derived value (a classic CWE-338, Use of Cryptographically Weak PRNG, manifestation - likely the default System.Random() rather than System.Security.Cryptography.RNGCryptoServiceProvider/RandomNumberGenerator). Because the same seed reproduces the same output sequence, anyone who can narrow the seed value - here, by estimating the moment of VM boot when the job runs - can enumerate the small set of possible passwords the function could have produced. The CPE cpe:2.3:a:cloud_foundry_foundation:windows-utilities-release confirms the affected component is the upstream BOSH release rather than Windows itself.

RemediationAI

Vendor-released patch: upgrade windows-utilities-release to v0.23.0 or later and redeploy any BOSH manifests that include the randomize_password job so the Administrator password is regenerated using the corrected RNG; see https://www.cloudfoundry.org/blog/cve-2026-41858-brute-forceable-windows-admin-creds/ for the official guidance. Simply upgrading the release without re-running the job leaves the previously generated weak password in place, so operators must trigger a password reset on already-deployed VMs (re-running randomize_password under the patched release, or rotating the local Administrator password out-of-band via stemcell tooling). As compensating controls until upgrade, restrict network reachability to RDP (TCP/3389) and WinRM (TCP/5985, 5986) on Windows VMs to BOSH/jumpbox subnets only, disable interactive logon for the local Administrator account where Group Policy permits (trade-off: breaks break-glass access), and tighten egress on boot-time telemetry so attackers cannot precisely estimate VM start timestamps - note that timing inference is also possible from public load balancers and monitoring dashboards, so this control is partial.

Share

EUVD-2026-34195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy