Insecure Randomness Flaw in Windows Utilities by BOSH Ecosystem
CVE-2026-41858
6.5MEDIUM
What is CVE-2026-41858?
A vulnerability in the BOSH Ecosystem’s Windows Utilities compromises the randomness used in generating secure passwords for local Administrator accounts. The Get-RandomPassword function relies on a predictable pseudo-random number generator (PRNG) seeded by the system clock, which allows attackers who can estimate the virtual machine's boot time to create a targeted attack. This flaw undermines the effectiveness of the randomize_password job, intended to secure the Administrator account, by making it possible for a network adversary to reconstruct a list of potential passwords, potentially granting unauthorized access to sensitive systems.
Affected Version(s)
windows-utilities-release 0 < 0.23.0
