Skip to main content

Fortra BoKS Manager EUVDEUVD-2026-36731

| CVE-2026-9863 HIGH
OS Command Injection (CWE-78)
2026-06-15 Fortra GHSA-cvv9-gwh6-485x
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Fortra) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Injection reaches the Master over the network with no Master credentials (PR:N) but needs an operator-initiated upgrade (UI:R); total compromise of the Master gives C:H/I:H/A:H, same host so S:U.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Fortra).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 09, 2026 - 16:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 16:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 16:52 vuln.today
cvss_changed
CVSS changed
Jul 09, 2026 - 16:52 NVD
7.5 (HIGH) 8.8 (HIGH)
Analysis Generated
Jun 15, 2026 - 16:32 vuln.today

DescriptionNVD

Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.

AnalysisAI

OS command injection in Fortra BoKS Manager (Core Privileged Access Manager) lets a malicious or already-compromised legacy tar-installed client execute arbitrary commands on the central BoKS Master when that client is selected for upgrade or patching. The flaw sits in the client version-handling logic of the legacy tar-based upgrade/patch tooling, turning a single rogue managed endpoint into a foothold on the security control plane. It is not in CISA KEV and no public exploit is identified at time of analysis; EPSS is low at 0.57% (43rd percentile), and CISA SSVC records exploitation as 'none' though technical impact as 'total'.

Technical ContextAI

BoKS Manager is Fortra's centralized privileged access management (PAM) and access-control platform built around a BoKS Master server that governs a domain of enrolled client hosts. This vulnerability is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning attacker-influenced data (a client's reported version string during the tar-based upgrade/patch workflow) is passed into a shell context on the Master without adequate sanitization. Only the legacy tar-based client installation and upgrade/patch tooling is implicated - modern package-based client handling is not referenced. The single CPE, cpe:2.3:a:fortra:core_privileged_access_manager_(boks), confirms the affected component is the BoKS/Core PAM server-side tooling.

RemediationAI

Consult and apply the fixes in Fortra advisory FI-2026-008 (https://www.fortra.com/security/advisories/product-security/fi-2026-008); the affected ranges end at boks-server 9.0.0.4 and 8.1.0.22, so upgrade to the next Fortra-released fixed build above those on the respective branch - Patch available per vendor advisory, but an exact fixed version number is not stated in the provided data, so confirm the target release directly from FI-2026-008. As a compensating control until patched, avoid initiating upgrade or patch operations on legacy tar-installed clients from the Master, and migrate legacy tar-based clients to the supported package-based client format to remove the vulnerable code path entirely (trade-off: migration requires per-host effort and change windows). Additionally, tighten trust in enrolled clients - audit and remove unknown or unmanaged tar-installed clients and restrict which operators can trigger client upgrades - recognizing this reduces but does not eliminate exposure if a trusted client is compromised.

Share

EUVD-2026-36731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy