Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service restart or reboot. This can lead to full host control. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-47830 represents a critical privilege escalation vulnerability in the BOSH Windows stemcell builder, where incorrect permission assignments on sensitive executable files allow low-privileged authenticated users to overwrite critical system binaries. Specifically, the vulnerability resides in BOSH.Utils.psm1, which fails to properly restrict write access to C:\bosh\service_wrapper.exe and C:\bosh\bosh-agent.exe. When these files are replaced with malicious payloads, the attacker gains NT AUTHORITY\SYSTEM privileges upon the next service restart or system reboot. This impacts organizations using BOSH for infrastructure automation, particularly those deploying Windows-based virtual machines in cloud environments. The vulnerability is especially severe because it requires only low-privilege authenticated access, making it a natural stepping stone in multi-stage attacks targeting cloud infrastructure, containerized environments, or hybrid deployments where BOSH is used for stemcell generation.
While this CVE currently maps to zero MITRE ATT&CK techniques in standard taxonomies, Casky's extended reasoning capabilities would identify the underlying attack patterns as Privilege Escalation (T1548), File and Directory Permissions Modification (T1222.001), and Service Execution (T1569.002). A practitioner using Casky would observe detection findings highlighting insecure file permissions on system executables, unauthorized file write attempts to protected directories, and suspicious service restart patterns coinciding with binary modifications. Casky's Claude-powered analysis would correlate these indicators across your 754 mapped security skills, surfacing the precise permission assignment errors in PowerShell modules and recommending defensive controls such as file integrity monitoring, principle of least privilege enforcement on service accounts, and code review processes for infrastructure-as-code templates. The platform would help teams trace exploitation chains and implement compensating controls even where CVE details remain sparse or technique mappings incomplete.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-47830. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation