highCVE-2026-47830

BOSH Windows Stemcell Builder SYSTEM Privilege Escalation Vulnerability

Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

Productbosh-windows-stemcell-builder
CVSS8.5
EPSS0.001
UpdatedJuly 10, 2026

Quick answer

Cloud Foundry Foundation bosh-windows-stemcell-builder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • bosh-windows-stemcell-builder versions prior to v2019.98

Fixed versions

  • v2019.98

How to fix it

BOSH Windows Stemcell Builder before v2019.98 set unsafe permissions on BOSH agent service files, allowing a low-privilege local user to replace service executables and gain SYSTEM execution after restart. Upgrade the builder, rebuild and redeploy Windows stemcells, and inspect affected hosts for tampered BOSH binaries.

  1. Inventory deployed Windows stemcells built with bosh-windows-stemcell-builder before v2019.98.
  2. Upgrade bosh-windows-stemcell-builder to v2019.98 or later in every stemcell build pipeline.
  3. Rebuild affected Windows stemcells and redeploy BOSH-managed Windows VMs from the rebuilt artifacts.
  4. Inspect C:\bosh\service_wrapper.exe, C:\bosh\bosh-agent.exe, and related service paths for unexpected ownership, permissions, or file hashes.
  5. Reset permissions on BOSH agent service files so unprivileged users cannot replace service executables.
  6. Audit local users, RDP access, service restart events, and endpoint telemetry for signs of privilege escalation.
  7. Rotate local administrator, BOSH agent, and deployment credentials if binary tampering or unauthorized local access is found.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the builder version is v2019.98 or later and affected VMs use rebuilt stemcells.
  • Validate non-administrator users cannot modify BOSH agent executable paths or service wrapper files.
  • Compare BOSH agent binary hashes against trusted rebuilt images.
  • Review Windows event logs for suspicious service replacement or SYSTEM process launches.
  • Run a Fixnx scan and confirm Windows management ports are not publicly exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47830?

Cloud Foundry Foundation bosh-windows-stemcell-builder versions listed as affected should be reviewed: bosh-windows-stemcell-builder versions prior to v2019.98.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.