HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-9862Published Modified CNA Fortra

CVE-2026-9862: Core Privileged Access Manager (BoKS) autoregistration service command injection vulnerability

Fortra's  Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an OS command injection vulnerability in Fortra's Core Privileged Access Manager (BoKS), specifically in the boks_autoregisterd service. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any attacker who can reach the service can send a crafted request to trigger the injection. Successful exploitation allows the attacker to execute arbitrary operating system commands with the privileges of the autoregistration service, enabling full compromise of the affected host. HarborGuard is tracking the advisory for patch availability, as no fix version has been published by Fortra at this time.

HarborGuard Coverage

Detection

Detection of CVE-2026-9862 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package boks-server at an affected version. Any image containing boks-server at or below version 8.1.0.22 (on the 8.x line) or 9.0.0.4 (on the 9.x line) is flagged automatically.

Available
Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) applied to each matched image, weighted against each customer environment's compliance policy to reflect actual exposure. Findings are routed to the appropriate team inbox within the customer organization based on configured ownership and severity thresholds.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Fortra advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard's network policy isolation recommendations to restrict access to the boks_autoregisterd service.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the boks_autoregisterd service over the network; any system with network access to the exposed service port is a potential source of attack.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the vulnerable autoregistration endpoint processes unauthenticated requests.

  • Victim interactionNot required

    The attack completes without any action from a user or administrator on the target system.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or other environmental factors need to align for the injection to succeed.

Blast Radius

  • Executes arbitrary OS commands with the runtime privileges of the boks_autoregisterd service, which in a PAM context typically carries elevated system rights.
  • Reads sensitive credential material, access policy configuration, and session data managed by the BoKS privileged access manager.
  • Modifies or deletes access control records and audit logs stored on the server, undermining the integrity of the PAM system.
  • Crashes or disables the autoregistration service and potentially dependent BoKS components, blocking privileged access workflows for the entire managed environment.

How HarborGuard Handles This

Available on HarborGuard: because Fortra has not yet published a fix for CVE-2026-9862, the immediate focus is on detection and compensating controls. HarborGuard continuously re-checks the Fortra advisory on every ingest cycle and will surface a patched-image rebuild opportunity the moment an upstream fix is released. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point. In the interim, HarborGuard flags all images containing boks-server at or below the affected versions and marks findings as Critical (9.8). Recommended compensating controls include applying network policy to isolate the boks_autoregisterd service port to known, trusted host ranges only, enabling egress filtering on containers running BoKS to limit lateral movement, and disabling the autoregistration feature entirely if it is not operationally required.

See how HarborGuard automates this
Affected packages
  • Fortra / Core Privileged Access Manager (BoKS)
    ≤ boks-server 8.1.0.22 · ≤ boks-server 9.0.0.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References