External risk intelligence

Fortra BoKS OS Command Injection in boks_autoregisterd Service

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-9862

A critical OS command injection vulnerability exists in Fortra's Core Privileged Access Manager's autoregistration service. This flaw may allow a remote attacker with network access to execute commands with elevated privileges. It is uncertain if this technology is in use or how exposed it may be.

3Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-9862

The vulnerability exists in a privileged access management service responsible for autoregistration. While such services are often deployed within internal network segments to manage server access, they may be reachable from other parts of the network or potentially exposed in specific configurations, but they are not typically designed to be directly public-facing in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-9862

Yes

CVE-2026-9862 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote attackers to execute commands with elevated privileges, which could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Fortra's Core Privileged Access Manager, specifically within its autoregistration service. This flaw could allow an unauthorized remote attacker to execute commands with elevated privileges, potentially impacting the integrity and availability of systems managed by this service. The main concern at this time is confirming if this specific technology is in use and, if so, to what extent it may be exposed.

  • Service flaw allows unauthorized command execution.
  • Critical privilege escalation risk in access management.
  • Confirm usage and exposure to assess impact.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending specially crafted network requests to the `boks_autoregisterd` service. This could allow them to execute arbitrary operating system commands with the privileges of the service, potentially leading to significant system compromise.

  • Network access to the service required.
  • Vulnerable service processes autoregistration requests.
  • Command execution with service privileges.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in a privileged access management service could allow commands to execute with the service's elevated privileges. This could occur when the service processes autoregistration requests from a remote attacker with network access.

  • System commands and service privileges.
  • Commands executed via autoregistration.
  • Unauthorized system control.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Fortra's Core Privileged Access Manager (BoKS) impacts the `boks_autoregisterd` service, allowing remote attackers to execute commands with elevated privileges. Responsibility for addressing this likely falls to infrastructure or platform teams managing the Privileged Access Management (PAM) solution, in coordination with security operations for exposure assessment and network teams if segmentation is a factor. The immediate first step is to discover all instances of the affected service, confirm its network reachability and business criticality, and identify the accountable system owner before planning remediation during a scheduled maintenance window.

  • Own by infrastructure and platform teams.
  • Verify service reachability and criticality.
  • Plan remediation during maintenance window.

Frequently asked questions

What is Fortra Core Privileged Access Manager (BoKS)?

BoKS is a software solution designed to manage and secure access to privileged accounts across an organization's IT infrastructure. It acts as a control layer for identity and access management, helping administrators monitor and restrict administrative actions on servers. By centralizing these controls, it helps ensure that only authorized users perform high-privilege tasks, serving as a critical component in maintaining system security and compliance.

What does CWE-78 mean for CVE-2026-9862?

CVE-2026-9862 involves a vulnerability class known as CWE-78, or OS Command Injection. This happens when an application improperly cleans user-supplied data before passing it to a system shell. In this case, the boks_autoregisterd service fails to safely handle input during autoregistration, allowing an attacker to inject their own operating system commands that the server then executes as if they were legitimate instructions from the service itself.

How can an attacker trigger this command injection?

An attacker triggers this bug by sending specially crafted network requests to the boks_autoregisterd service during the autoregistration process. The flaw is specifically tied to how the service handles these requests. It is important to note that simply having the BoKS software installed does not trigger the vulnerability; it requires active, direct network access to this specific service to send the malicious data that leads to unauthorized command execution.

Do I need to worry if my BoKS service is internal?

According to Halo Surface Signal, this service is typically deployed within internal network segments rather than being directly public-facing. However, you should still care if there are pathways that allow network traffic to reach the service from other segments of your environment. Even if the service is not on the open internet, internal reachability can still pose a significant risk if an attacker has gained a foothold elsewhere in your network.

What are the first steps to address this CVE?

Your first step is to identify all instances of BoKS running in your environment to understand your footprint. Once you have a list, work with your infrastructure teams to verify the network reachability of the boks_autoregisterd service and determine its criticality. Once you have identified the systems, you should coordinate with the system owners to plan for necessary updates or security configurations during a scheduled maintenance window.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished