Fortra Access Manager Vulnerability Enables Remote Command Injection Attacks
6 min. read 
Published on
Fortra has disclosed a critical command injection vulnerability in Core Privileged Access Manager, also known as BoKS, that can let a remote attacker run operating system commands on affected systems.
The flaw is tracked as CVE-2026-9862 and affects the boks_autoregisterd service. According to Fortra advisory FI-2026-007, an attacker with network access to the service may execute commands with the privileges of the service during autoregistration processing.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue carries a critical 9.8 CVSS 3.1 score because exploitation requires network access, low attack complexity, no authentication, and no user interaction, according to the NVD entry for CVE-2026-9862.
What CVE-2026-9862 Affects
Core Privileged Access Manager is Fortra’s privileged access management platform for Linux and UNIX environments. Fortra describes Core Privileged Access Manager as a way to centralize security policy, account management, access control, and privileged access enforcement across multi-vendor server environments.
The vulnerable component is boks_autoregisterd, which supports host autoregistration in BoKS deployments. Fortra says the service listens on TCP port 6507 by default, which means exposure depends heavily on firewall rules and network segmentation.
NVD lists the affected versions as boks-server 8.1.0.0 through 8.1.0.22 and boks-server 9.0.0.0 through 9.0.0.4.
| Detail | Information |
|---|---|
| CVE | CVE-2026-9862 |
| Product | Fortra Core Privileged Access Manager (BoKS) |
| Vulnerable module | boks_autoregisterd |
| Default port | TCP 6507 |
| Weakness type | CWE-78 OS command injection |
| CVSS score | 9.8 critical |
| Authentication required | No |
Why the Vulnerability Is Critical
CVE-2026-9862 is classified as CWE-78, which covers improper neutralization of special elements used in an operating system command. The MITRE CWE-78 definition explains that this weakness occurs when externally influenced input can modify the intended command before it reaches the operating system.
In practical terms, a remote attacker who can reach boks_autoregisterd may be able to inject commands into the autoregistration workflow. Those commands would run with the privileges assigned to the service, which can create a serious path to system compromise.
The risk rises further because BoKS controls privileged access. A compromised privileged access management component can expose sensitive administration workflows, disrupt authentication controls, or help an attacker move deeper into a Linux or UNIX server environment.
Fortra Recommends Restricting Access to Port 6507
Fortra’s immediate workaround is to restrict network access to boks_autoregisterd until fixed builds are deployed. Administrators should limit TCP port 6507 to trusted management networks and block access from untrusted internal segments and the public internet.
Where autoregistration is not required, Fortra also recommends disabling the service through the BoKS Master configuration. The Fortra security advisory says administrators can comment out the autoregisterd line in the boksinit configuration and then reload boks_init or restart BoKS.
Disabling the service prevents exploitation through boks_autoregisterd, but it also stops autoregistration until the configuration is restored. Organizations should plan that change carefully in environments where automated host onboarding is still active.
Affected Versions and Exposure Checklist
The National Vulnerability Database says the flaw affects specific BoKS server 8.1 and 9.0 builds and maps the weakness to CWE-78. NVD also records CISA ADP data that marks the vulnerability as automatable with total technical impact.
That does not mean every BoKS deployment is equally exposed. The most urgent cases are systems where boks_autoregisterd listens on a reachable network interface and where port 6507 can be reached from untrusted networks.
Administrators should answer these questions immediately:
- Are we running boks-server 8.1.0.0 through 8.1.0.22?
- Are we running boks-server 9.0.0.0 through 9.0.0.4?
- Is boks_autoregisterd enabled on the BoKS Master?
- Is TCP port 6507 reachable from outside the management network?
- Do firewall logs show unexpected traffic to port 6507?
- Do BoKS logs show unusual autoregistration activity?
- Can autoregistration be disabled until fixed builds are installed?
Why BoKS Deployments Need Fast Mitigation
Fortra’s BoKS platform is used to manage accounts, access, privilege enforcement, sudo controls, and administration across Linux and UNIX environments. That makes the product a high-value target when a critical network-reachable flaw appears.
An attacker who can run commands through a privileged service may attempt to alter files, deploy malware, create persistence, tamper with access controls, or use the affected host as a staging point for lateral movement.
Security teams should treat port 6507 exposure as an emergency configuration issue. Even before fixed builds are available, network-level restrictions can sharply reduce the attack surface.
How Security Teams Should Respond
Organizations should start with containment. Limit access to boks_autoregisterd, disable the service where possible, and confirm whether affected BoKS server versions are present in production, staging, and backup environments.
Teams should then review logs for suspicious activity. Look for unexpected autoregistration attempts, unfamiliar source IP addresses, abnormal process execution, changed configuration files, or signs of shell command execution around the BoKS service.
The CWE guidance for command injection also highlights the value of least privilege, sandboxing, strict input handling, and firewall controls. For customers waiting on fixed builds, those defensive layers can help limit both exploitability and impact.
| Priority | Action | Purpose |
|---|---|---|
| Immediate | Block untrusted access to TCP port 6507 | Prevents remote attackers from reaching boks_autoregisterd |
| Immediate | Disable boks_autoregisterd if not needed | Removes the vulnerable service from the attack path |
| High | Check BoKS server version | Confirms whether the environment is affected |
| High | Review BoKS and firewall logs | Looks for exploitation attempts or suspicious access |
| High | Apply fixed builds when available | Remediates the vulnerability fully |
No Public Exploitation Confirmed Yet, but Risk Remains High
Fortra’s advisory and NVD listing do not currently state that CVE-2026-9862 has been exploited in active attacks. However, the vulnerability is network-reachable, unauthenticated, low-complexity, and affects privileged access infrastructure.
That combination makes delayed mitigation risky. Organizations should not wait for public exploit activity before restricting access to the vulnerable service.
The safest response is to assume that exposed boks_autoregisterd services will attract scanning. Restrict port 6507, disable autoregistration where possible, monitor for suspicious activity, and deploy Fortra’s fixed builds as soon as they are released.
FAQ
CVE-2026-9862 is a critical OS command injection vulnerability in Fortra Core Privileged Access Manager (BoKS). It affects the boks_autoregisterd service and can allow a remote unauthenticated attacker with network access to execute commands with the service’s privileges.
NVD lists boks-server 8.1.0.0 through 8.1.0.22 and boks-server 9.0.0.0 through 9.0.0.4 as affected by CVE-2026-9862.
Fortra’s advisory and the NVD entry do not currently state that CVE-2026-9862 has been exploited in active attacks. Even so, the flaw is critical because it is remotely reachable, unauthenticated, and can have total technical impact.
Fortra says boks_autoregisterd listens on TCP port 6507 by default. Administrators should restrict this port to trusted management networks or disable the service if autoregistration is not required.
Organizations should restrict network access to boks_autoregisterd, block untrusted traffic to TCP port 6507, disable autoregistration where possible, review logs for suspicious activity, and install Fortra’s fixed builds as soon as they become available.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages