This vulnerability (CVE-2026-41858) arises from the use of a cryptographically weak PRNG (CWE-338) in the Get-RandomPassword function of the windows-utilities-release component in the BOSH-Ecosystem by Cloud Foundry Foundation. The randomize_password job sets the local Administrator account password to a value generated by this weak PRNG, which is seeded by the system clock. An attacker who can estimate the VM boot time can generate a small set of candidate passwords and recover the Administrator password, bypassing the security control intended to lock the account behind an unguessable password. The vulnerability affects all versions prior to v0.23.0, which includes all versions up to and including that release. The issue is resolved in version 0.23.0 and later.

An unauthenticated network attacker who can estimate the VM boot time can recover the local Administrator password by reconstructing a small candidate list of possible passwords generated by the weak PRNG. This compromises the intended security hardening of the Administrator account, potentially allowing unauthorized access to the affected system. The vulnerability does not impact confidentiality, integrity, or availability beyond the compromise of the Administrator password itself. There are no known exploits in the wild at this time.

A fix is available in windows-utilities-release version 0.23.0 and later. Users should upgrade to version 0.23.0 or newer to remediate this vulnerability. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is fixed starting from version 0.23.0. Until upgraded, systems remain vulnerable to password recovery via this weakness.