CVE-2026-41858 - Vulnerability Details

- Weak Randomness Allows Brute‑Force Recovery of Windows Administrator Password

Description

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control.

Affected versions:
- windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later

Published: 2026-06-04

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from weak randomness in the Get-RandomPassword function delivered by the BOSH-Ecosystem windows-utilities-release. Because the password is seeded from a predictable clock source, an attacker can estimate the VM boot time and produce a small set of candidate passwords. By brute‑forcing this small list the attacker can recover the local Administrator account that the hardening job was intended to protect. The weakness is classified as CWE‑338, a weak random number generator flaw that compromises confidentiality of privileged credentials.

Affected Systems

All versions of the Cloud Foundry Foundation windows‑utilities‑release older than v0.23.0 are affected. The CWEs linked to this release have been updated in v0.23.0 to use a secure randomizer, eliminating the predictable seed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high severity, with the potential to bypass a core hardening control leading to privilege escalation. Because the exploit requires knowledge of VM boot time, a network‑connected attacker with remote visibility can attempt the attack without requiring direct host access. EPSS is not provided, so the current exploitation probability is unclear, and it is not listed in the KEV catalog. Nonetheless, the impact remains significant for environments that rely on this hardening control.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cloud Foundry Foundation

windows-utilities-release

unaffected

Version	Status	Constraints
`0`	affected	< 0.23.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the windows‑utilities‑release to v0.23.0 or newer so that passwords are generated with a secure random source.
Enable logging for the randomize_password job and monitor for repeated login attempts on the local Administrator account.
If an upgrade cannot be performed immediately, consider discontinuing use of the Administrator account on the VM or replace it with a pass‑through or service account that is not exposed to the local security context.

Generated by OpenCVE AI on June 4, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cloudfoundry.org/blog/cve-2026-41858-brute-forceable-windows-admin-creds/

History

Thu, 04 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
Title		Weak Randomness Allows Brute‑Force Recovery of Windows Administrator Password

Thu, 04 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control. Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later
Weaknesses		CWE-338
References		https://www.cloudfoundry.org/blog/cve-2026-41858-brute-forceable-windows-admin-creds/
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-04T02:10:34.656Z

Updated: 2026-06-04T02:10:34.656Z

Reserved: 2026-04-22T06:22:10.082Z

Link: CVE-2026-41858

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-04T03:16:19.790

Modified: 2026-06-04T03:16:19.790

Link: CVE-2026-41858

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T03:30:04Z

Weaknesses

CWE-338

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object