CVE-2026-9862

Summary

Fortra's  Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.

Affected Software

VendorProductVersion RangeStatus
FortraCore Privileged Access Manager (BoKS)boks-server 8.1.0.0 <= boks-server 8.1.0.22affected
FortraCore Privileged Access Manager (BoKS)boks-server 9.0.0.0 <= boks-server 9.0.0.4affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

Restrict network access to boks_autoregisterd, which listens on port 6507 by default, until fixed builds are deployed. 

Another workaround for both boks-server 8.1 and 9.0 is to disable the service in the boksinit configuration. On the BoKS Master, edit

$BOKS_var/internal/boksinit/master 

and comment out the line 

autoregisterd:300:1:0:respawn::$BOKS_lib/boks_autoregisterd -xn 

by prefixing it with 

#

then make boks_init reread the file, for example by running 

kill -HUP $(cat $BOKS_var/run/boks_init)

or restart BoKS. This stops boks_autoregisterd and prevents it from being respawned; autoregistration is unavailable until the row is restored.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References