Fortra PAM Flaw Lets Attackers Run Commands Without Auth

Fortra has disclosed a critical command injection vulnerability in its Core Privileged Access Manager (BoKS) platform that allows unauthenticated attackers to execute arbitrary commands with elevated privileges. The flaw, tracked as CVE-2026-9862, scores 9.8 on the CVSS scale—just short of the maximum severity rating.

The vulnerability affects the autoregistration daemon, which listens on TCP port 6507 by default.

Technical Details

BoKS provides centralized access control and privilege management for Unix and Linux environments. The boks_autoregisterd service handles automatic registration of new hosts into the BoKS security domain.

The problem lies in how the service processes incoming requests. According to Fortra's security advisory, user-supplied input isn't properly sanitized before being passed to shell commands. An attacker can inject OS commands through specially crafted registration requests.

The vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command. Put simply, the daemon concatenates attacker-controlled data into shell commands without escaping metacharacters.

Because the autoregistration service runs with elevated privileges to perform system configuration, successful exploitation grants attackers the same level of access—typically root.

Discovery and Disclosure Timeline

• May 27, 2026: Vulnerability discovered
• June 15, 2026: Public disclosure

That's a quick turnaround, suggesting Fortra moved rapidly to release a patch. Organizations running BoKS should verify they're on a fixed version.

Exploitation Requirements

The attack is straightforward for anyone with network access to port 6507:

• No authentication required: The autoregistration service accepts requests without credentials
• Network-accessible: Many deployments expose the service internally, and some may have it reachable from broader networks
• Simple payload delivery: Standard shell metacharacters enable command injection

This combination makes the vulnerability attractive to attackers. Unlike flaws requiring authentication or complex exploitation chains, CVE-2026-9862 can be exploited with basic network access and a crafted request.

Who's Affected

BoKS deployments are common in enterprise environments with significant Unix/Linux infrastructure:

• Financial services firms managing trading platforms and back-office systems
• Technology companies with large server fleets
• Government agencies running Unix-based applications
• Healthcare organizations with legacy systems

Privileged access management tools occupy a sensitive position in enterprise security architectures. They control who can access what with elevated permissions. Compromising the PAM system potentially grants attackers the keys to everything the PAM protects.

This pattern mirrors vulnerabilities in other security infrastructure, like the Splunk Enterprise flaw currently under active exploitation. Attackers increasingly target security tools because compromising them provides both access and cover.

Immediate Mitigations

Restrict network access

The most important immediate step: ensure only trusted hosts can reach TCP port 6507. Use firewall rules to limit connectivity to the autoregistration service.

In many environments, only the BoKS Master server and authorized agent hosts need to communicate with this service. Everything else should be blocked.

Disable autoregistration if not in use

Organizations that don't use automatic host registration can disable the boks_autoregisterd service entirely. Modify the boksinit configuration file on the BoKS Master system to prevent the daemon from starting.

Apply the patch

Fortra has released updated versions that sanitize input to the vulnerable service. Check the Fortra security portal for specific version numbers and upgrade guidance.

Detection Guidance

Monitor for:

• Unexpected connections to port 6507 from unauthorized sources
• Unusual process execution on the BoKS Master server
• Shell metacharacters in autoregistration logs (semicolons, pipes, backticks, dollar signs in parentheses)
• New accounts or permission changes that weren't initiated through normal procedures

Organizations running SIEM platforms should create alerts for anomalous activity involving the boks_autoregisterd process. The defense-in-depth approach that protects against most attacks applies equally to security infrastructure.

Why PAM Vulnerabilities Matter

Privileged Access Manager platforms exist specifically to control and audit access to sensitive systems. When the PAM itself is vulnerable:

• Attackers bypass the access controls entirely
• Audit trails may be manipulated or deleted
• Every system the PAM manages becomes potentially compromised
• Recovery requires auditing all access that occurred during the exposure window

The Fortinet credential leak earlier this month demonstrated how quickly attackers exploit security infrastructure vulnerabilities. PAM systems deserve the same urgent attention as perimeter devices when critical flaws emerge.

Organizations running Fortra BoKS should treat CVE-2026-9862 as an immediate priority. The combination of unauthenticated access, trivial exploitation, and root-level impact leaves no room for delayed patching.