Critical Command Injection Flaw in Fortra’s BoKS Exposes Privileged Access Systems
Fortra has disclosed a critical security vulnerability (CVE-2026-9862) in its Core Privileged Access Manager (BoKS), allowing unauthenticated remote attackers to execute arbitrary commands on affected systems. The flaw, rated CVSS 9.8, stems from an OS command injection (CWE-78) weakness in the boks_autoregisterd service, which handles host autoregistration in the privileged access management environment.
The vulnerability arises from improper input neutralization during the autoregistration process, enabling attackers to craft malicious requests that inject commands. The service listens on TCP port 6507 by default, making it accessible over the network in many deployments. Exploitation requires no user interaction or prior privileges, granting attackers the ability to execute commands with the service’s permissions potentially leading to full system compromise, data manipulation, or lateral movement across networks.
Fortra identified the issue on May 27, 2026, and publicly disclosed it on June 15, 2026, via advisory FI-2026-007. While patches are pending, the company recommends temporary mitigations, including:
- Restricting network access to boks_autoregisterd via firewall rules or segmentation.
- Disabling the service entirely by modifying the boksinit configuration file on the BoKS Master system and restarting the service.
Security teams are advised to monitor for suspicious activity on port 6507, such as unexpected command execution or anomalous traffic. The flaw highlights risks posed by exposed management services and underscores the need for robust input validation in secure coding practices.
Source: https://cybersecuritynews.com/fortra-access-manager-vulnerability/
Fortra cybersecurity rating report: https://www.rankiteo.com/company/fortra
"id": "FOR1781699072",
"linkid": "fortra",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Fortra',
'type': 'Company'}],
'attack_vector': 'Network',
'date_detected': '2026-05-27',
'date_publicly_disclosed': '2026-06-15',
'description': 'Fortra has disclosed a critical security vulnerability '
'(CVE-2026-9862) in its Core Privileged Access Manager (BoKS), '
'allowing unauthenticated remote attackers to execute '
'arbitrary commands on affected systems. The flaw, rated CVSS '
'9.8, stems from an OS command injection (CWE-78) weakness in '
'the boks_autoregisterd service, which handles host '
'autoregistration in the privileged access management '
'environment. The vulnerability arises from improper input '
'neutralization during the autoregistration process, enabling '
'attackers to craft malicious requests that inject commands. '
'The service listens on TCP port 6507 by default, making it '
'accessible over the network in many deployments. Exploitation '
'requires no user interaction or prior privileges, granting '
'attackers the ability to execute commands with the service’s '
'permissions potentially leading to full system compromise, '
'data manipulation, or lateral movement across networks.',
'impact': {'operational_impact': 'Full system compromise, data manipulation, '
'lateral movement',
'systems_affected': 'Privileged Access Management (BoKS)'},
'lessons_learned': 'Highlights risks posed by exposed management services and '
'underscores the need for robust input validation in '
'secure coding practices',
'post_incident_analysis': {'corrective_actions': 'Input validation '
'improvements; patch '
'development',
'root_causes': 'Improper input neutralization in '
'boks_autoregisterd service'},
'recommendations': 'Apply patches when available; implement network '
'segmentation; monitor port 6507 for suspicious activity; '
'disable boks_autoregisterd if not required',
'references': [{'source': 'Fortra Advisory'}],
'response': {'communication_strategy': 'Public disclosure via advisory '
'FI-2026-007',
'containment_measures': 'Restrict network access to '
'boks_autoregisterd via firewall rules '
'or segmentation; disable the service by '
'modifying the boksinit configuration '
'file on the BoKS Master system and '
'restarting the service',
'enhanced_monitoring': 'Monitor for suspicious activity on port '
'6507',
'network_segmentation': 'Recommended as mitigation',
'remediation_measures': 'Patches pending'},
'title': 'Critical Command Injection Flaw in Fortra’s BoKS Exposes Privileged '
'Access Systems',
'type': 'Command Injection',
'vulnerability_exploited': 'CVE-2026-9862 (OS Command Injection - CWE-78)'}