OS Command Injection Vulnerability in Fortra's Core Privileged Access Manager
CVE-2026-9862

9.8CRITICAL

Key Information:

Vendor: Fortra
Status: Core Privileged Access Manager (boks)
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-9862?

Fortra's Core Privileged Access Manager (BoKS) is vulnerable to an OS command injection due to a flaw in the boks_autoregisterd service. This vulnerability allows a remote attacker with network access to manipulate the service and execute commands with its privileges during autoregistration. Such an exploit can lead to unauthorized commands being run, potentially compromising sensitive information and system integrity.

Affected Version(s)

Core Privileged Access Manager (BoKS) boks-server 8.1.0.0

Core Privileged Access Manager (BoKS) boks-server 9.0.0.0

References

https://www.fortra.com/security/advisories/product-securi...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 28, 2026

Credit

Fortra internal security assessment

CVE-2026-9862 Data

JSON