Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability

FI-2026-007 - Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability

Severity
Critical
Published Date
15-Jun-2026
Updated Date
15-Jun-2026
Vulnerabilities
CVE-2026-9862
 
Notes
Description

Fortra's  Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.

 

Vulnerabilities

 
Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability
Severity
Critical
CVE
CVE-2026-9862
CWE
CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Discovery Date
27-May-2026
CSSv3.1
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/I:H/A:H)
Affected Products
Vulnerability Notes
Remediation: Workaround

Restrict network access to boks_autoregisterd, which listens on port 6507 by default, until fixed builds are deployed. 

Another workaround for both boks-server 8.1 and 9.0 is to disable the service in the boksinit configuration. On the BoKS Master, edit

$BOKS_var/internal/boksinit/master 

and comment out the line 

`autoregisterd:300:1:0:respawn::$BOKS_lib/boks_autoregisterd -xn` 

by prefixing it with 

`#`; 

then make boks_init reread the file, for example by running 

`kill -HUP $(cat $BOKS_var/run/boks_init)`, 

or restart BoKS. This stops boks_autoregisterd and prevents it from being respawned; autoregistration is unavailable until the row is restored.

 
References