Insecure Randomness Flaw in Windows Utilities by BOSH Ecosystem
CVE-2026-41858

6.5MEDIUM

What is CVE-2026-41858?

A vulnerability in the BOSH Ecosystem’s Windows Utilities compromises the randomness used in generating secure passwords for local Administrator accounts. The Get-RandomPassword function relies on a predictable pseudo-random number generator (PRNG) seeded by the system clock, which allows attackers who can estimate the virtual machine's boot time to create a targeted attack. This flaw undermines the effectiveness of the randomize_password job, intended to secure the Administrator account, by making it possible for a network adversary to reconstruct a list of potential passwords, potentially granting unauthorized access to sensitive systems.

Affected Version(s)

windows-utilities-release 0 < 0.23.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.