BOSH Windows Stemcell Builder SYSTEM Privilege Escalation Vulnerability
Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.
Quick answer
Cloud Foundry Foundation bosh-windows-stemcell-builder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- bosh-windows-stemcell-builder versions prior to v2019.98
Fixed versions
- v2019.98
How to fix it
BOSH Windows Stemcell Builder before v2019.98 set unsafe permissions on BOSH agent service files, allowing a low-privilege local user to replace service executables and gain SYSTEM execution after restart. Upgrade the builder, rebuild and redeploy Windows stemcells, and inspect affected hosts for tampered BOSH binaries.
- Inventory deployed Windows stemcells built with bosh-windows-stemcell-builder before v2019.98.
- Upgrade bosh-windows-stemcell-builder to v2019.98 or later in every stemcell build pipeline.
- Rebuild affected Windows stemcells and redeploy BOSH-managed Windows VMs from the rebuilt artifacts.
- Inspect C:\bosh\service_wrapper.exe, C:\bosh\bosh-agent.exe, and related service paths for unexpected ownership, permissions, or file hashes.
- Reset permissions on BOSH agent service files so unprivileged users cannot replace service executables.
- Audit local users, RDP access, service restart events, and endpoint telemetry for signs of privilege escalation.
- Rotate local administrator, BOSH agent, and deployment credentials if binary tampering or unauthorized local access is found.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the builder version is v2019.98 or later and affected VMs use rebuilt stemcells.
- Validate non-administrator users cannot modify BOSH agent executable paths or service wrapper files.
- Compare BOSH agent binary hashes against trusted rebuilt images.
- Review Windows event logs for suspicious service replacement or SYSTEM process launches.
- Run a Fixnx scan and confirm Windows management ports are not publicly exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-47830?
Cloud Foundry Foundation bosh-windows-stemcell-builder versions listed as affected should be reviewed: bosh-windows-stemcell-builder versions prior to v2019.98.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
