Critical Fortra Access Manager Vulnerability Enables Remote Command Injection Attacks
Fortra disclosed a critical OS command injection vulnerability (CVE-2026-9862) in its Core Privileged Access Manager (BoKS) that allows unauthenticated remote attackers to execute arbitrary commands.
Fortra has disclosed a critical security vulnerability in its Core Privileged Access Manager (BoKS) that could allow remote attackers to execute arbitrary commands on affected systems. CVE-2026-9862 is a critical OS command injection (CWE-78) flaw in the boks_autoregisterd service, carrying a CVSS 9.8 severity rating. It exists within the autoregistration functionality of BoKS, a component that automatically registers hosts in the privileged access management environment. Due to improper neutralization of user-supplied input, attackers can craft malicious requests that inject operating system commands during the autoregistration process.
Security researchers identified that the vulnerable service listens on TCP port 6507 by default, making it reachable over the network in many deployments. An unauthenticated attacker with network access to this service can exploit the flaw without requiring user interaction or prior privileges. Successful exploitation enables the execution of arbitrary commands with the service's privileges, which can lead to full system compromise, data manipulation, or service disruption.
Given the critical nature of the flaw and the lack of authentication requirements, it poses a significant risk to organizations that rely on BoKS for privileged access management. Attackers could potentially leverage this weakness to move laterally across networks, escalate privileges, or deploy malware. Fortra has acknowledged the issue and provided temporary mitigation measures while security updates are being prepared.
Organizations are strongly advised to restrict network access to the boks_autoregisterd service, particularly limiting exposure of port 6507 to untrusted networks. This can be achieved through firewall rules or network segmentation. According to Fortra advisory FI-2026-007, the vulnerability was identified on May 27, 2026, and publicly disclosed on June 15, 2026.
As an additional workaround, administrators can turn off the vulnerable service entirely. This involves modifying the boksinit configuration file on the BoKS Master system by commenting out the autoregisterd service entry. After updating the configuration, the service manager must be reloaded, or the BoKS service restarted to apply the changes. While this mitigation prevents exploitation, it also turns off autoregistration until the configuration is restored.
Security teams should monitor their environments for any unusual activity associated with the autoregistration service, including unexpected command execution or suspicious network traffic targeting port 6507. Applying vendor patches as soon as they become available is critical to remediate the risk fully. The disclosure of CVE-2026-9862 underscores the ongoing risks posed by exposed management services and highlights the importance of secure coding practices, particularly input validation, to prevent command injection vulnerabilities.