Fortra has identified a critical security flaw in its Core Privileged Access Manager (BoKS) that could permit remote attackers to execute arbitrary commands on affected systems. This vulnerability, designated as CVE-2026-9862, is an operating system command injection issue within the boks_autoregisterd service, carrying a CVSS severity score of 9.8.
The flaw resides in the autoregistration functionality of BoKS, a component responsible for automatically registering hosts within the privileged access management environment. Due to inadequate neutralization of user-supplied input, attackers can craft malicious requests that inject operating system commands during the autoregistration process.
Security researchers have noted that the vulnerable service typically listens on TCP port 6507, making it accessible over the network in many configurations. An unauthenticated attacker with network access to this service can exploit the flaw without requiring user interaction or prior privileges. Successful exploitation enables the execution of arbitrary commands with the service’s privileges, potentially leading to full system compromise, data manipulation, or service disruption.
Given the critical nature of this vulnerability and the absence of authentication requirements, it poses a significant risk to organizations relying on BoKS for privileged access management. Attackers could leverage this weakness to move laterally across networks, escalate privileges, or deploy malware.
Fortra has acknowledged the issue and provided temporary mitigation measures while security updates are being prepared. Organizations are strongly advised to restrict network access to the boks_autoregisterd service, particularly limiting exposure of port 6507 to untrusted networks. This can be achieved through firewall rules or network segmentation.
According to Fortra’s advisory FI-2026-007, the vulnerability was identified on May 27, 2026, and publicly disclosed on June 15, 2026. As an additional workaround, administrators can disable the vulnerable service entirely by modifying the boksinit configuration file on the BoKS Master system to comment out the autoregisterd service entry. After updating the configuration, the service manager must be reloaded, or the BoKS service restarted to apply the changes. While this mitigation prevents exploitation, it also disables autoregistration until the configuration is restored.
Security teams should monitor their environments for any unusual activity associated with the autoregistration service, including unexpected command execution or suspicious network traffic targeting port 6507. Applying vendor patches as soon as they become available is critical to fully remediate the risk.
The disclosure of CVE-2026-9862 underscores the ongoing risks posed by exposed management services and highlights the importance of secure coding practices, particularly input validation, to prevent command injection vulnerabilities.
In light of this vulnerability, organizations should reassess their network configurations and access controls to ensure that critical services are not unnecessarily exposed. Implementing robust monitoring and logging mechanisms can aid in the early detection of exploitation attempts. Additionally, fostering a culture of security awareness and regular training for administrators can help in promptly identifying and mitigating such vulnerabilities in the future.
