CVE-2026-9863

Summary

Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.

Affected Software

VendorProductVersion RangeStatus
FortraCore Privileged Access Manager (BoKS)boks-server 8.1.0.0 <= boks-server 8.1.0.22affected
FortraCore Privileged Access Manager (BoKS)boks-server 9.0.0.0 <= boks-server 9.0.0.4affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

Until fixed builds are deployed, only run BoKS client upgrade or patch operations for legacy tar-based client installations against trusted clients. Avoid running boks_upgrade upgrade or patch operations for legacy tar-installed clients that may be compromised or controlled by an untrusted party.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References