CVE-2026-9862 PUBLISHED

Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability

Assigner: Fortra
Reserved: 28.05.2026 Published: 15.06.2026 Updated: 15.06.2026

Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Fortra
Product	Core Privileged Access Manager (BoKS)
Versions	Default: unaffected affected from boks-server 8.1.0.0 to boks-server 8.1.0.22 (incl.) affected from boks-server 9.0.0.0 to boks-server 9.0.0.4 (incl.)

Workarounds

Restrict network access to boks_autoregisterd, which listens on port 6507 by default, until fixed builds are deployed.

Another workaround for both boks-server 8.1 and 9.0 is to disable the service in the boksinit configuration. On the BoKS Master, edit

$BOKS_var/internal/boksinit/master

and comment out the line

autoregisterd:300:1:0:respawn::$BOKS_lib/boks_autoregisterd -xn

by prefixing it with

#;

then make boks_init reread the file, for example by running

kill -HUP $(cat $BOKS_var/run/boks_init),

or restart BoKS. This stops boks_autoregisterd and prevents it from being respawned; autoregistration is unavailable until the row is restored.

Solutions

Upgrade to boks-server 8.1.0.23 or 9.0.0.5.

Credits

Fortra internal security assessment finder

References

https://www.fortra.com/security/advisories/product-security/fi-2026-007

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE

Impacts

CAPEC-248 Command Injection