Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability

FI-2026-008 - Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability

Severity
High
Published Date
15-Jun-2026
Updated Date
15-Jun-2026
Vulnerabilities
CVE-2026-9863
 
Notes
Description

Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.

 

Vulnerabilities

 
Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability
Severity
High
CVE
CVE-2026-9863
CWE
CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Discovery Date
27-May-2026
CSSv3.1
7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products
Vulnerability Notes
Remediation: Workaround

Until fixed builds are deployed, only run BoKS client upgrade or patch operations for legacy tar-based client installations against trusted clients. Avoid running boks_upgrade upgrade or patch operations for legacy tar-installed clients that may be compromised or controlled by an untrusted party.

 
References