Takeover Flaw in the PAM Tool Fortra BoKS: CVE-2026-9862, Update to s-9.0.0.5 / s-8.1.0.23 Now
Fortra Core Privileged Access Manager (BoKS), used to centrally manage admin access across server fleets, has a 9.8 flaw (CVE-2026-9862). With no login, an attacker on the internal network can take over the central server and seize company-wide privilege. Fixed releases s-9.0.0.5 and s-8.1.0.23 are out; affected orgs should update now.
Makoto Horikawa
Backend Engineer / AWS / Django
Fortra Core Privileged Access Manager (BoKS), used to centrally manage admin access across server fleets, has a 9.8 flaw (CVE-2026-9862). With no login, an attacker on the internal network can take over the central server and seize company-wide privilege. Fixed releases s-9.0.0.5 and s-8.1.0.23 are out; affected orgs should update now.
"Fortra Core Privileged Access Manager (BoKS)," the system companies use to centrally manage administrator access across large fleets of servers, has a serious flaw rated 9.8. It is tracked as CVE-2026-9862. With no login, an attacker positioned within reach on the internal network can run arbitrary commands on this central server.
Vendor Fortra released fixes on June 15, 2026. Across the two supported version lines, Server s-9.0.0.5 and s-8.1.0.23 are the fixed releases. If your organization runs BoKS, apply them promptly rather than later.
✓ What is confirmed so far
- ✓The affected product is the autoregistration service (boks_autoregisterd) of Fortra Core Privileged Access Manager (BoKS) (NVD)
- ✓Severity is 9.8 (out of 10); the class is slipping malicious characters into an OS command (CWE-78, OS command injection)
- ✓Exploitable over the network with no login (the CVSS vector's privilege requirement is PR:N)
- ✓Fixed releases s-9.0.0.5 / s-8.1.0.23 are out, which also fix the sibling flaw CVE-2026-9863. No known exploitation or KEV listing as of now
What does Fortra BoKS do
Large companies run servers by the hundreds or thousands. Managing, one machine at a time, who can log in with administrator rights (root) is not practical. That is where "privileged access management (PAM)" comes in: it acts like a vault keeper that, in one place, governs "who can get into which server, and with what level of privilege."
Fortra Core Privileged Access Manager (BoKS) is one of the leading products of this kind. Formerly under the HelpSystems name and older vendors before that, it is now also called "Powertech Identity & Access Manager (BoKS)." It is used by large enterprises in finance, telecom, manufacturing, and the like that run fleets of Linux and UNIX servers, to centralize administrator access.
The flaw is in BoKS's autoregistration service. When a new server is brought under BoKS management, that machine communicates over the network to register itself with the central server. The resident program acting as that intake desk, boks_autoregisterd, mishandled how commands are built.
When the Vault Holding Every Spare Key Can Be Pried Open From Outside
More than the number 9.8 itself, the point to grasp first is that what is being targeted is not the thing being protected, but the mechanism doing the protecting. A PAM is the vault that bundles the entryways to every server in the company. This vulnerability means that vault's intake desk can be pried open from the outside, with no login required.
The first to go after this are those who already have a foothold somewhere in the company network and want to expand their control at a stroke. Specifically: attackers who want to move laterally after breaking in and maximize the damage, initial access brokers who build entry routes and sell them to ransomware crews, dishonest insiders trying to seize privilege from within, and industrial spies who want to lurk for a long time and keep siphoning information. What they come for is exactly what BoKS bundles: the administrator passwords for every server, the SSH keys, the list of "who can get into which server," and the records of privileged operations. The moment one crafted request slips through that autoregistration desk, the spare keys to every server in the company pass together into their hands, and the central server itself is taken over.
In security terms, this is "OS command injection" — slipping the attacker's strings into the command line handed to the OS. Because no login is required (PR:N) and it works as long as the service is reachable over the network, for an attacker already inside it is a springboard to leap straight from "owning one PC" to "holding the entire company's privileges." A PAM is convenient, but once breached it is also the "privilege choke point" where every server can fall in a chain — the single spot attackers want most.
The number "9.8" only marks technical severity. For a company that runs BoKS, what is really lost is administrator access to every server (the backbone of the business), operations that can no longer be kept running, the data of customers and partners, and the trust that evaporates once it becomes public that "the very mechanism meant to protect us was broken". When the core of your defenses falls, everything behind it is endangered at the same time.
CVE-2026-9862: a command slips into the autoregistration intake
According to the NVD description, CVE-2026-9862 is "an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing." It is classified as OS command injection (CWE-78).
By rights, the registration data arriving from outside should be treated as "just data." But when that string is used as-is while building an OS command, the command an attacker slipped in runs with the service's privileges. Because the autoregistration service runs with high privileges on the central server, the privileges seized are large too.
The technical scoring (CVSS vector) is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, for a score of 9.8. The gist is: over the network (AV:N), under easy conditions (AC:L), with no login (PR:N) and no user interaction (UI:N), it succeeds, and the impact on stealing, tampering with, and destroying information is all at the maximum (C:H/I:H/A:H). The prerequisites for the attack are next to none, putting it among the most readily exploitable flaws.
Note that the same June 15 update also fixes a separate command injection flaw in the upgrade process (CVE-2026-9863). Applying the fixed release closes both.
Affected versions, and what to do now
Affected are BoKS releases earlier than the fix. A fixed release is provided for each of the two supported lines. Check the server release number you run.
| Version line | Affected releases | Fixed (apply now) |
|---|---|---|
| 9.0 line | Before s-9.0.0.5 (e.g. 9.0.0.4) | Server s-9.0.0.5 |
| 8.1 line | Before s-8.1.0.23 (e.g. 8.1.0.22) | Server s-8.1.0.23 |
| Older lines | Check support status | Follow Fortra's guidance to update |
The top priority is to update the server to s-9.0.0.5 or s-8.1.0.23 or later. As an interim measure until you update, it also helps to narrow, at the network level, what can connect to the autoregistration service so it is reachable only from a trusted management segment. This service exists for internal server registration; it does not need to be exposed to broad networks or the outside.
It is also worth checking whether it was already abused before you update. Look for unexpected connections to the autoregistration service, processes or accounts running on the central server that you do not recognize, and suspicious changes in the history of privilege grants. For the exact scope and remediation steps, follow Fortra's security advisory (FI-2026-007).
The pattern of "protective software" being targeted
Cases where a product introduced for safety becomes the entry point for intrusion keep recurring. On this site we have covered the "gatekeeper" Ivanti Sentry being taken over without authentication (CVE-2026-10520 and others), a Check Point VPN authentication bypass abused by a ransomware crew (CVE-2026-50751), and the Oracle PeopleSoft emergency flaw that lets a server be taken over with no login (CVE-2026-35273).
Vendor Fortra has been here before: a pre-authentication command injection in its file transfer product GoAnywhere MFT (CVE-2023-0669) was mass-exploited by the ransomware group Clop, hitting more than 130 organizations. Today's CVE-2026-9862 is the same "mishandled command" type, and it requires no authentication. The more valuable a flaw is to attackers, the shorter the window tends to be before exploitation begins after disclosure.
Exploitation status, and what to keep an eye on
As of June 15, 2026, there are no reports of CVE-2026-9862 being used in real attacks, and it is not listed in the U.S. government's CISA KEV catalog of actively exploited vulnerabilities. You can track the latest status of exploited flaws in one place on our CISA KEV dashboard (Japanese).
That said, this is a privileged-access-management target — where the payoff for an attacker is enormous — and the flaw is exploitable without a login. Its appeal to attackers stands out, so "not attacked yet" does not mean "no rush to respond." With the fixed releases out, getting the update applied and checking for signs of compromise now is the most reliable defense.
References
- ▸ NVD - CVE-2026-9862 (published June 15, 2026)
- ▸ Fortra - Security Advisory FI-2026-007 (CVE-2026-9862)
- ▸ Fortra - BoKS Manager release notes (s-9.0.0.5 / s-8.1.0.23)
- ▸ MITRE - CWE-78: OS Command Injection
- ▸ BleepingComputer - Fortra GoAnywhere MFT zero-day attacks (CVE-2023-0669, background)
- ▸ CISA - Known Exploited Vulnerabilities Catalog