CVE-2026-41858
Awaiting Analysis Awaiting Analysis - Queue
Weak Randomness in BOSH-Ecosystem Windows Utilities Allows Password Recovery

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VMware

Description
Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control. Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-41858
EUVD
EUVD-2026-34195
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware windows_utilities_release to 0.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41858 is a vulnerability in the windows-utilities-release component of the BOSH-Ecosystem. It involves weak randomness due to an insecure cryptographic primitive in the Get-RandomPassword function. Specifically, the password for the local Administrator account is generated using a predictable, clock-seeded pseudo-random number generator (PRNG). Because of this, a network attacker who can estimate the virtual machine (VM) boot time can reconstruct a small list of possible passwords and recover the Administrator password, defeating the intended security control.

Impact Analysis

This vulnerability allows a network attacker to recover the local Administrator password by exploiting the predictable password generation process. Once the attacker recovers the Administrator password, they can gain unauthorized administrative access to the affected system. This compromises the security of the system by defeating the hardening control intended to protect the Administrator account.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the windows-utilities-release to version 0.23.0 or later.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart