CVE-2026-41858 PUBLISHED

Assigner: vmware
Reserved: 22.04.2026 Published: 04.06.2026 Updated: 04.06.2026

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control.

Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Cloud Foundry Foundation
Product	windows-utilities-release
Versions	Default: unaffected affected from 0 to 0.23.0 (excl.)

References

https://www.cloudfoundry.org/blog/cve-2026-41858-brute-forceable-windows-admin-creds/

Problem Types

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE

Impacts

A network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Windows Administrator password, defeating the hardening control (confidentiality impact: HIGH; integrity and availability unaffected).