Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Injection reaches the Master over the network with no Master credentials (PR:N) but needs an operator-initiated upgrade (UI:R); total compromise of the Master gives C:H/I:H/A:H, same host so S:U.
Primary rating from Vendor (Fortra).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.
AnalysisAI
OS command injection in Fortra BoKS Manager (Core Privileged Access Manager) lets a malicious or already-compromised legacy tar-installed client execute arbitrary commands on the central BoKS Master when that client is selected for upgrade or patching. The flaw sits in the client version-handling logic of the legacy tar-based upgrade/patch tooling, turning a single rogue managed endpoint into a foothold on the security control plane. It is not in CISA KEV and no public exploit is identified at time of analysis; EPSS is low at 0.57% (43rd percentile), and CISA SSVC records exploitation as 'none' though technical impact as 'total'.
Technical ContextAI
BoKS Manager is Fortra's centralized privileged access management (PAM) and access-control platform built around a BoKS Master server that governs a domain of enrolled client hosts. This vulnerability is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning attacker-influenced data (a client's reported version string during the tar-based upgrade/patch workflow) is passed into a shell context on the Master without adequate sanitization. Only the legacy tar-based client installation and upgrade/patch tooling is implicated - modern package-based client handling is not referenced. The single CPE, cpe:2.3:a:fortra:core_privileged_access_manager_(boks), confirms the affected component is the BoKS/Core PAM server-side tooling.
RemediationAI
Consult and apply the fixes in Fortra advisory FI-2026-008 (https://www.fortra.com/security/advisories/product-security/fi-2026-008); the affected ranges end at boks-server 9.0.0.4 and 8.1.0.22, so upgrade to the next Fortra-released fixed build above those on the respective branch - Patch available per vendor advisory, but an exact fixed version number is not stated in the provided data, so confirm the target release directly from FI-2026-008. As a compensating control until patched, avoid initiating upgrade or patch operations on legacy tar-installed clients from the Master, and migrate legacy tar-based clients to the supported package-based client format to remove the vulnerable code path entirely (trade-off: migration requires per-host effort and change windows). Additionally, tighten trust in enrolled clients - audit and remove unknown or unmanaged tar-installed clients and restrict which operators can trigger client upgrades - recognizing this reduces but does not eliminate exposure if a trusted client is compromised.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36731
GHSA-cvv9-gwh6-485x