CVE-2026-9862
PUBLISHED
Published: 15 Jun 2026, 15:10
Last modified:15 Jun 2026, 15:18
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
15 Jun 2026, 15:10
Published
Vulnerability first disclosed
15 Jun 2026, 15:18
Last Modified
Vulnerability information updated
Description
Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Techniques & Countermeasures
- CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Affected Systems
- fortra•core privileged access manager (boks)
≥ boks-server 8.1.0.0, ≤ boks-server 8.1.0.22 | ≥ boks-server 9.0.0.0, ≤ boks-server 9.0.0.4