Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2026-41858 – Brute forceable windows admin creds

by: June 1, 2026

Severity

CVSS score: 6.5 (Medium) (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Vendor

CloudFoundry Foundation

Versions Affected

*Severity is HIGH unless otherwise noted.

windows-utilities-release

– All versions prior to v0.23.0

Description

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password.

The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading to v0.23.0 of windows-utilities-release.

Credit

n/a

History

June 1 2026: Initial vulnerability report published.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3809-2: OpenSSH regression
Security Advisory

USN-3809-2: OpenSSH regression

by Cloud Foundry Foundation Security Team September 7, 2021
USN-2994-1 libxml2 vulnerabilities
Security Advisory

USN-2994-1 libxml2 vulnerabilities

by Cloud Foundry Foundation Security Team June 13, 2016
USN-3752-2: Linux kernel (HWE) vulnerabilities
Security Advisory

USN-3752-2: Linux kernel (HWE) vulnerabilities

by Cloud Foundry Foundation Security Team September 27, 2018
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept