highCVE-2026-47831

BOSH Windows Stemcell Builder Weak Random Password Vulnerability

Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via TCP/22. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

Productbosh-windows-stemcell-builder
CVSS7.7
EPSS0.00191
UpdatedJuly 10, 2026

Quick answer

Cloud Foundry Foundation bosh-windows-stemcell-builder should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • bosh-windows-stemcell-builder versions prior to v2019.98

Fixed versions

  • v2019.98

How to fix it

BOSH Windows Stemcell Builder before v2019.98 used weak randomness when generating local SSH passwords. Upgrade the builder, rebuild affected Windows stemcells, rotate generated credentials, and treat any exposed or long-lived stemcell access as potentially compromised.

  1. Inventory BOSH Windows stemcell build pipelines and identify builds produced with bosh-windows-stemcell-builder before v2019.98.
  2. Upgrade bosh-windows-stemcell-builder to v2019.98 or a later vendor-supported release.
  3. Rebuild Windows stemcells from trusted sources after the upgraded builder is in place.
  4. Rotate generated local SSH passwords, deployment credentials, BOSH credentials, and any secrets embedded in affected stemcells.
  5. Replace deployed VMs that were created from affected Windows stemcells instead of only changing the builder going forward.
  6. Restrict SSH access to Windows stemcell instances to trusted management networks while remediation is in progress.
  7. Review authentication logs for password guessing, unexpected SSH access, or repeated failed login attempts against affected VMs.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the active stemcell build pipeline uses bosh-windows-stemcell-builder v2019.98 or later.
  • Confirm affected stemcells were rebuilt and redeployed rather than reused.
  • Verify old generated SSH passwords no longer authenticate to Windows stemcell instances.
  • Review BOSH deployment and VM access logs for suspicious access during the vulnerable period.
  • Run a Fixnx scan and confirm exposed management surfaces are not reachable from the public internet.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47831?

Cloud Foundry Foundation bosh-windows-stemcell-builder versions listed as affected should be reviewed: bosh-windows-stemcell-builder versions prior to v2019.98.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.