Overview
CVE-2026-47831 is a cryptographic weakness in the GenerateRandomPassword function within bosh-windows-stemcell-builder, the toolchain used to build BOSH Windows stemcells for Cloud Foundry deployments. The function relies on a cryptographically weak pseudo-random number generator (PRNG), making generated passwords statistically predictable to a remote attacker.
This vulnerability carries a CVSS score of 7.5 (High), reflecting the ease of remote exploitation and the sensitivity of the credentials being generated.
Technical Details
Root Cause
The GenerateRandomPassword function uses a non-cryptographic PRNG seeded with a low-entropy source (typically system time or a similarly predictable value). Cryptographic operations — particularly password generation — must use a cryptographically secure random number generator (CSPRNG) such as crypto/rand in Go or equivalent OS-level entropy sources.
When a weak PRNG is used:
- The seed space is small and often predictable
- An attacker who knows or can estimate the seed (e.g., from a known deployment timestamp) can reconstruct the generated password sequence
- This makes brute-force infeasible only in theory — in practice, the effective keyspace is drastically reduced
Attack Vector
| Attribute | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| CVSS Score | 7.5 (High) |
An unauthenticated remote attacker could enumerate likely passwords generated during a known deployment window, potentially gaining unauthorized access to stemcell-managed Windows instances.
Affected Components
- Product: bosh-windows-stemcell-builder
- Function:
GenerateRandomPassword - Language: Go
- Ecosystem: Cloud Foundry / BOSH
BOSH stemcells are OS images used to deploy VMs in Cloud Foundry environments. Windows stemcells are particularly common in hybrid enterprise deployments running .NET workloads.
Impact
If exploited, an attacker could:
- Predict the Windows administrator password generated during stemcell initialization
- Gain unauthorized remote access to deployed VM instances
- Pivot to internal Cloud Foundry networks and connected services
- Exfiltrate data from workloads running on compromised VMs
The severity is amplified in multi-tenant PaaS environments where a single compromised stemcell could affect many tenant workloads.
Mitigation
- Update immediately: Apply the patched version of bosh-windows-stemcell-builder when available from the Cloud Foundry Foundation / BOSH maintainers.
- Rotate credentials: If Windows stemcells were deployed using vulnerable versions, rotate all auto-generated administrator passwords immediately.
- Audit deployments: Review stemcell deployment logs for any unauthorized access attempts around the deployment timestamp windows.
- Replace with CSPRNG: Developers of similar tooling should use
crypto/rand(Go) or equivalent OS entropy sources for any security-sensitive random value generation.