CVE-2026-41858

Vulnerability

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in the Get-RandomPassword function within the BOSH-Ecosystem's windows-utilities-release allows for the recovery of the local Administrator password. This hardening control is defeated because the password is derived from a predictable, clock-seeded Pseudo-Random Number Generator (PRNG). Affected versions include all versions of windows-utilities-release prior to v0.23.0 [1].

Exploitation

A network attacker can exploit this vulnerability by estimating the Virtual Machine's boot time. This estimation allows them to reconstruct a small candidate list of possible Administrator passwords, which can then be used to recover the actual password. No specific authentication or user interaction is required for exploitation [1].

Impact

Successful exploitation allows a network attacker to recover the local Administrator password for the affected Windows VM. This bypasses a critical hardening control designed to secure the Administrator account, potentially leading to unauthorized access and control over the system with administrative privileges [1].

Mitigation

Users are strongly encouraged to upgrade to windows-utilities-release v0.23.0 or later. This version addresses the predictable randomness issue. No other workarounds are mentioned in the available references. The vulnerability was initially reported on June 1, 2026 [1].