CVE-2026-47830 in bosh-windows-stemcell-builder
Summary
by MITRE • 07/09/2026
Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability identified in BOSH.Utils.psm1 within the BOSH-Ecosystem bosh-windows-stemcell-builder represents a critical privilege escalation flaw that stems from improper permission assignment during the Windows stemcell building process. This issue affects versions prior to v2019.98 and creates a significant security risk by allowing low-privileged authenticated users to manipulate critical system executables. The vulnerability manifests through the insecure handling of file permissions in the PowerShell module responsible for managing BOSH agent services on Windows systems.
The technical flaw resides in the incorrect assignment of file permissions within the BOSH.Utils.psm1 script, specifically affecting the C:\bosh\service_wrapper.exe and C:\bosh\bosh-agent.exe paths. The module fails to properly validate or enforce access controls when creating or modifying these critical service executables, enabling authenticated users with minimal privileges to overwrite these files. This misconfiguration creates a path traversal vulnerability that directly violates the principle of least privilege, allowing attackers to escalate their privileges from standard user level to NT AUTHORITY\SYSTEM level through simple file replacement operations.
The operational impact of this vulnerability is severe and far-reaching within Windows environments utilizing BOSH stemcell builders. When an attacker successfully overwrites either the service_wrapper.exe or bosh-agent.exe files, they can execute arbitrary code with system-level privileges upon the next service restart or system reboot. This persistence mechanism provides attackers with complete control over the compromised host, enabling them to establish backdoors, exfiltrate data, modify system configurations, or deploy additional malicious payloads. The vulnerability essentially transforms a low-privilege user account into a full system administrator with unrestricted access to all system resources.
The security implications extend beyond immediate privilege escalation to encompass broader compliance and risk management concerns within enterprise environments. This vulnerability directly maps to CWE-276 which addresses incorrect permission assignment, and aligns with ATT&CK technique T1068 for local privilege escalation through service manipulation. Organizations using affected versions of the bosh-windows-stemcell-builder are particularly vulnerable during the stemcell creation process, as these tools typically run with elevated privileges to perform system modifications. The vulnerability demonstrates poor security hygiene in automated build processes and highlights the critical importance of proper file permission management in system administration scripts.
Organizations should immediately implement mitigations including updating to bosh-windows-stemcell-builder version v2019.98 or later, which addresses this specific permission assignment flaw. System administrators should also conduct thorough audits of existing stemcell build environments to identify and remediate any manually created or modified versions that may still contain the vulnerable script. Additional protective measures include implementing strict file permission controls on the C:\bosh directory structure, monitoring for unauthorized file modifications to critical system executables, and ensuring that build processes run with minimal required privileges rather than elevated accounts. The vulnerability underscores the necessity of security testing during the development lifecycle of infrastructure automation tools and emphasizes the importance of proper access control implementation in enterprise security frameworks.