CVE-2026-41860 · CWE-326 in BOSH

01 · The Real Story

This is a master-key left under the floorboard of the control room, not on the front door

CVE-2026-41860 is a TLS verification failure in BOSH bosh-monitor where HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE. Per the vendor advisory and NVD, every BOSH release before v282.1.9 is affected. The practical result is that an attacker who can position themselves for a man-in-the-middle between bosh-monitor and the Director or UAA can intercept Basic-auth credentials or redirect token requests.

The vendor's HIGH label is too generous for enterprise patch triage because the exploit chain starts with *local or management-network foothold*, not unauthenticated internet reachability. The impact after compromise is serious because stolen Director or UAA credentials can hand an attacker the keys to the BOSH management plane, but the decisive reality is the attacker must already be on or adjacent to a tightly scoped internal control path that many shops never expose publicly.

"High impact if you already touched the BOSH control plane, but the path starts well past initial access."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Gain a control-plane foothold

The attacker first needs execution on the Director VM, a nearby management host, or a routable position on the BOSH management network. Common operator tooling here would be ssh, socat, or a post-compromise implant already present on an admin box or Director-adjacent system. This is not an internet-first bug; it begins after some level of internal access exists.

Conditions required:

Access to the BOSH Director VM or adjacent management network
Reachability to Director/UAA traffic paths
A BOSH deployment running a vulnerable release earlier than v282.1.9

Where this breaks in practice:

Most enterprises isolate BOSH management networks from user and app subnets
Many deployments keep the Director on private addressing only
This prerequisite already implies prior compromise or privileged insider position

Detection/coverage: Exposure scanners are weak here; the best signal is asset inventory plus Director version detection. EDR and bastion logs should show unusual shell access on Director-adjacent hosts.

STEP 02

Insert a man-in-the-middle

Because bosh-monitor accepts TLS without certificate verification, the attacker can present a rogue certificate and proxy the connection with tools like mitmproxy, bettercap, or ettercap. The flaw removes the hardest part of the interception: the monitor will not reject the bogus peer certificate. The attacker still has to win the network position race and keep traffic flowing cleanly enough not to break health monitoring.

Conditions required:

Ability to intercept or redirect traffic between bosh-monitor and Director or UAA
Traffic not already pinned or protected by network architecture outside the app layer

Where this breaks in practice:

UAA is commonly colocated with the Director, which can collapse the MITM window to the same VM or same tightly controlled path
ARP spoofing and route manipulation are noisy on well-monitored management segments
A failed proxy can create obvious operational issues in health monitoring

Detection/coverage: Look for rogue listeners, unexpected TLS issuers on Director/UAA sessions, ARP churn, or proxy processes on Director-adjacent systems. Traditional vuln scanners usually will not prove exploitability.

STEP 03

Capture credentials or redirect token flow

Once in the path, the attacker can harvest Basic-auth credentials or tamper with UAA token requests and responses. In practical terms, this is credential theft against BOSH's management fabric, not mere passive eavesdropping. The operator-grade toolset here is straightforward: mitmproxy for interception and curl or the bosh CLI for replay once credentials are obtained.

Conditions required:

Successful live interception of monitor traffic
Monitor traffic carrying usable auth material or token exchanges

Where this breaks in practice:

The captured material still has to map to privileged Director or UAA actions
Operational credentials may be rotated or scoped
Session misuse may generate audit events in UAA or Director logs

Detection/coverage: Audit Director and UAA authentication events for unusual client IPs, repeated token requests, or new API activity following monitor-side anomalies.

STEP 04

Pivot into BOSH administration

With valid credentials, the attacker can target the Director API and potentially control deployments, credentials, resurrection behavior, or VM lifecycle actions across the estate. At that point the blast radius is real because BOSH is a control-plane orchestrator, not a leaf service. This is where the impact becomes severe, but only after all prior narrowing assumptions have already been satisfied.

Conditions required:

Captured credentials are accepted by Director or UAA
The account or token has meaningful permissions

Where this breaks in practice:

Role scoping in UAA can limit what stolen tokens actually buy
Admin actions on BOSH are auditable and often operationally conspicuous
This is still constrained to environments using BOSH as a management plane

Detection/coverage: BOSH task history, UAA audit logs, and admin API telemetry should show new targets, task creation, deployment changes, or token abuse.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in the reviewed primary sources as of 2026-06-03/2026-06-04.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog at review time.
Proof-of-concept availability	No public PoC or exploit repo was surfaced in GitHub-indexed search results tied to this CVE. Expect a PoC to be trivial for anyone already on the management network because standard tools like `mitmproxy` or `bettercap` are sufficient.
EPSS	No CVE-specific EPSS value was located in reviewed public results at assessment time; this record appears newly published, so EPSS may lag initial CNA publication.
CVSS vector meaning	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` says local, low-privileged, no user interaction with scope change and high downstream impact. That technical impact is fair, but the `AV:L` and management-plane positioning requirement are the real severity brakes.
Affected versions	Vendor states all BOSH versions before `v282.1.9` are affected.
Fixed version	Upgrade to `v282.1.9` or later. No vendor-published distro backport mapping was found in the reviewed sources.
Exposure model	BOSH documentation shows internal naming such as `default.director.bosh-internal` and `default.hm.bosh-internal`, and UAA is commonly colocated with the Director. That makes this an internal control-plane traffic issue, not an internet spray-and-pray edge bug.
Public exposure clues	Broadcom troubleshooting material shows typical Director access on private RFC1918 addressing and port `25555`. Internet scan telemetry is largely beside the point here because exploitation hinges on internal MITM positioning rather than anonymous remote reachability.
Disclosure timeline / credit	Cloud Foundry advisory published 2026-06-01; NVD published 2026-06-03. The vendor advisory lists no researcher credit.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.6/10)

The single biggest severity brake is that exploitation starts with local or management-network attacker position, which means this is already a post-initial-access problem. The control-plane blast radius is real once credentials are stolen, but the reachable population is narrow compared with true edge-facing remote bugs.

HIGH Affected version range and fixed version

HIGH Exploit chain requires internal/local positioning rather than anonymous remote access

MEDIUM Practical ease of credential interception in varied BOSH topologies

Why this verdict

Start from vendor HIGH, then cut for attacker position: AV:L is not a paper detail here; it means the attacker already has code execution or a very favorable management-network foothold.
Cut again for implied prior compromise: a requirement to MITM bosh-monitor toward Director/UAA is not initial access, it's lateral movement or insider positioning on the control plane.
Cut again for exposed population: BOSH Directors and their UAA/control links are typically private, administratively fenced, and often colocated, so the reachable set is much smaller than generic enterprise software.
Do not cut to LOW: if the attacker does win this position, stolen Director or UAA credentials can translate into serious control-plane impact across many managed VMs and deployments.

Why not higher?

This is not an unauthenticated internet RCE, not a one-packet bug, and not a broadly exposed service issue. The exploit chain assumes a prior foothold plus a workable MITM position on a management path that many environments keep private and tightly segmented.

Why not lower?

The downstream blast radius is too large for LOW once valid Director or UAA credentials are captured. BOSH sits in the orchestration layer, so a successful interception can become estate-wide operational compromise, not just a single-host nuisance.

05 · Compensating Control

What to do — in priority order.

Isolate the BOSH management plane — Restrict Director, UAA, and health-monitor traffic to dedicated management networks and bastions only. For a MEDIUM verdict there is no mitigation SLA, but this is the most effective structural control to apply during normal hardening because it directly removes the attacker positioning assumption.
Tighten Director host access — Review who can SSH to Director-adjacent systems, remove stale admin paths, and enforce short-lived access via bastions. There is no mitigation SLA for MEDIUM, but reducing local shell access materially cuts the realistic exploit population.
Watch for MITM indicators on management segments — Alert on ARP spoofing, rogue proxies, unexpected TLS issuers, and unusual listeners on Director/UAA-related ports. There is no mitigation SLA for MEDIUM, but this provides the best chance to catch the preconditions before credential theft.
Audit BOSH and UAA auth activity — Review Director task creation, new CLI targets, token issuance anomalies, and admin API use from unusual source IPs. Again, no mitigation SLA for MEDIUM; treat this as a targeted detection uplift while patching is scheduled.

What doesn't work

A WAF does not help because this is not an HTTP edge attack against a public app.
Internet perimeter blocking alone does not help because the exploit path is inside the management plane.
Relying on the BOSH CLI --ca-cert behavior does not help because the flaw is in bosh-monitor's own TLS verification path, not the operator CLI.

06 · Verification

Crowdsourced verification payload.

Run this on the BOSH Director VM itself as root or via sudo, because it reads /var/vcap/jobs and may grep package contents. Example: sudo bash ./check-cve-2026-41860.sh. It first tries to read the deployed BOSH release version from the rendered job spec; if that is unavailable, it falls back to code inspection for the vulnerable VERIFY_NONE pattern.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-41860.sh
# Detects likely exposure to CVE-2026-41860 on a BOSH Director VM.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_VERSION="282.1.9"
SPEC_CANDIDATES=(
  "/var/vcap/jobs/health_monitor/spec"
  "/var/vcap/jobs/director/spec"
)
SEARCH_DIRS=(
  "/var/vcap/packages"
  "/var/vcap/jobs"
)

version_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

extract_version_from_spec() {
  local spec="$1"
  local v=""

  [ -r "$spec" ] || return 1

  # Try YAML-ish forms first: release:\n  version: X or release.version: X
  v=$(awk '
    BEGIN{in_release=0}
    /^[[:space:]]*release:[[:space:]]*$/ {in_release=1; next}
    in_release && /^[[:space:]]*version:[[:space:]]*/ {
      sub(/^[[:space:]]*version:[[:space:]]*/, "", $0)
      gsub(/"/, "", $0)
      print $0
      exit
    }
    /^[^[:space:]]/ && $0 !~ /^release:[[:space:]]*$/ {in_release=0}
    /^[[:space:]]*release\.version:[[:space:]]*/ {
      sub(/^[[:space:]]*release\.version:[[:space:]]*/, "", $0)
      gsub(/"/, "", $0)
      print $0
      exit
    }
  ' "$spec")

  if [ -n "$v" ]; then
    printf '%s' "$v"
    return 0
  fi

  # Try JSON-ish single-line patterns if present
  v=$(grep -Eo '"version"[[:space:]]*:[[:space:]]*"[0-9][0-9A-Za-z._-]*"' "$spec" 2>/dev/null | head -n1 | sed -E 's/.*"([0-9][0-9A-Za-z._-]*)"/\1/')
  if [ -n "$v" ]; then
    printf '%s' "$v"
    return 0
  fi

  return 1
}

for spec in "${SPEC_CANDIDATES[@]}"; do
  if v=$(extract_version_from_spec "$spec"); then
    if version_lt "$v" "$TARGET_VERSION"; then
      echo "VULNERABLE: BOSH release version $v is older than $TARGET_VERSION"
      exit 1
    else
      echo "PATCHED: BOSH release version $v is $TARGET_VERSION or newer"
      exit 0
    fi
  fi
done

# Fallback: inspect deployed code for the vulnerable pattern.
# This is heuristic, so we only declare VULNERABLE if we find both the helper names
# and VERIFY_NONE in plausible BOSH package/job content.
if grep -R -E -n 'HttpRequestHelper|create_async_endpoint|send_http_get_request_synchronous|OpenSSL::SSL::VERIFY_NONE' "${SEARCH_DIRS[@]}" 2>/dev/null | grep -q 'VERIFY_NONE'; then
  echo "VULNERABLE: found deployed BOSH code referencing OpenSSL::SSL::VERIFY_NONE in relevant paths"
  exit 1
fi

echo "UNKNOWN: could not determine deployed BOSH release version and no decisive code pattern was found"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a control-plane hardening and patch scheduling item, not a paging incident. Because the reassessed verdict is MEDIUM and there is no KEV or active exploitation evidence, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; inventory all BOSH Directors now, verify which are below v282.1.9, and fold the upgrade into your normal management-plane maintenance so the vendor patch is completed within the noisgate remediation SLA of 365 days. If your Director/UAA networks are unusually broad or shared with less-trusted admin zones, pull that subset forward ahead of the rest.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.