Description
Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control.

Affected versions:
- windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from weak randomness in the Get-RandomPassword function delivered by the BOSH-Ecosystem windows-utilities-release. Because the password is seeded from a predictable clock source, an attacker can estimate the VM boot time and produce a small set of candidate passwords. By brute‑forcing this small list the attacker can recover the local Administrator account that the hardening job was intended to protect. The weakness is classified as CWE‑338, a weak random number generator flaw that compromises confidentiality of privileged credentials.

Affected Systems

All versions of the Cloud Foundry Foundation windows‑utilities‑release older than v0.23.0 are affected. The CWEs linked to this release have been updated in v0.23.0 to use a secure randomizer, eliminating the predictable seed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high severity, with the potential to bypass a core hardening control leading to privilege escalation. Because the exploit requires knowledge of VM boot time, a network‑connected attacker with remote visibility can attempt the attack without requiring direct host access. EPSS is not provided, so the current exploitation probability is unclear, and it is not listed in the KEV catalog. Nonetheless, the impact remains significant for environments that rely on this hardening control.

Generated by OpenCVE AI on June 4, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the windows‑utilities‑release to v0.23.0 or newer so that passwords are generated with a secure random source.
  • Enable logging for the randomize_password job and monitor for repeated login attempts on the local Administrator account.
  • If an upgrade cannot be performed immediately, consider discontinuing use of the Administrator account on the VM or replace it with a pass‑through or service account that is not exposed to the local security context.

Generated by OpenCVE AI on June 4, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Cloud Foundry Foundation
Cloud Foundry Foundation windows-utilities-release
Vendors & Products Cloud Foundry Foundation
Cloud Foundry Foundation windows-utilities-release

Thu, 04 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Weak Randomness Allows Brute‑Force Recovery of Windows Administrator Password

Thu, 04 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control. Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later
Weaknesses CWE-338
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cloud Foundry Foundation Windows-utilities-release
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-04T15:07:20.434Z

Reserved: 2026-04-22T06:22:10.082Z

Link: CVE-2026-41858

cve-icon Vulnrichment

Updated: 2026-06-04T14:21:39.518Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T03:16:19.790

Modified: 2026-06-04T15:35:18.623

Link: CVE-2026-41858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:09:21Z

Weaknesses
  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)