CVE-2026-9863 (GCVE-0-2026-9863)
Vulnerability from cvelistv5 – Published: 2026-06-15 15:17 – Updated: 2026-06-15 16:08
VLAI
Title
Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability
Summary
Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.fortra.com/security/advisories/produc… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortra | Core Privileged Access Manager (BoKS) |
Affected:
boks-server 8.1.0.0 , ≤ boks-server 8.1.0.22
(custom)
Affected: boks-server 9.0.0.0 , ≤ boks-server 9.0.0.4 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T16:08:50.051689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T16:08:58.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"boks_upgrade_upgrade",
"boks_upgrade_patch"
],
"product": "Core Privileged Access Manager (BoKS)",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "boks-server 8.1.0.22",
"status": "affected",
"version": "boks-server 8.1.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "boks-server 9.0.0.4",
"status": "affected",
"version": "boks-server 9.0.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fortra internal security assessment"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.\u003c/p\u003e"
}
],
"value": "Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T15:18:31.697Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.fortra.com/security/advisories/product-security/fi-2026-008"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to boks-server 8.1.0.23 or 9.0.0.5.\u003c/p\u003e"
}
],
"value": "Upgrade to boks-server 8.1.0.23 or 9.0.0.5."
}
],
"source": {
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-01T00:00:00.000Z",
"value": "Issue validated and fixes prepared for BOKS-900 and BOKS81-hotfix branches."
}
],
"title": "Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUntil fixed builds are deployed, only run BoKS client upgrade or patch operations for legacy tar-based client installations against trusted clients. Avoid running boks_upgrade upgrade or patch operations for legacy tar-installed clients that may be compromised or controlled by an untrusted party.\u003c/p\u003e"
}
],
"value": "Until fixed builds are deployed, only run BoKS client upgrade or patch operations for legacy tar-based client installations against trusted clients. Avoid running boks_upgrade upgrade or patch operations for legacy tar-installed clients that may be compromised or controlled by an untrusted party."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2026-9863",
"datePublished": "2026-06-15T15:17:19.607Z",
"dateReserved": "2026-05-28T16:37:53.223Z",
"dateUpdated": "2026-06-15T16:08:58.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9863\",\"sourceIdentifier\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"published\":\"2026-06-15T16:16:35.507\",\"lastModified\":\"2026-06-15T21:01:58.873\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://www.fortra.com/security/advisories/product-security/fi-2026-008\",\"source\":\"df4dee71-de3a-4139-9588-11b62fe6c0ff\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9863\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-15T16:08:50.051689Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-15T16:08:54.811Z\"}}], \"cna\": {\"title\": \"Core Privileged Access Manager (BoKS) upgrade tooling command injection vulnerability\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Fortra internal security assessment\"}], \"impacts\": [{\"capecId\": \"CAPEC-248\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-248 Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Fortra\", \"modules\": [\"boks_upgrade_upgrade\", \"boks_upgrade_patch\"], \"product\": \"Core Privileged Access Manager (BoKS)\", \"versions\": [{\"status\": \"affected\", \"version\": \"boks-server 8.1.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"boks-server 8.1.0.22\"}, {\"status\": \"affected\", \"version\": \"boks-server 9.0.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"boks-server 9.0.0.4\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-06-01T00:00:00.000Z\", \"value\": \"Issue validated and fixes prepared for BOKS-900 and BOKS81-hotfix branches.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to boks-server 8.1.0.23 or 9.0.0.5.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpgrade to boks-server 8.1.0.23 or 9.0.0.5.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.fortra.com/security/advisories/product-security/fi-2026-008\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Until fixed builds are deployed, only run BoKS client upgrade or patch operations for legacy tar-based client installations against trusted clients. Avoid running boks_upgrade upgrade or patch operations for legacy tar-installed clients that may be compromised or controlled by an untrusted party.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUntil fixed builds are deployed, only run BoKS client upgrade or patch operations for legacy tar-based client installations against trusted clients. Avoid running boks_upgrade upgrade or patch operations for legacy tar-installed clients that may be compromised or controlled by an untrusted party.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eFortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"shortName\": \"Fortra\", \"dateUpdated\": \"2026-06-15T15:18:31.697Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9863\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-15T16:08:58.885Z\", \"dateReserved\": \"2026-05-28T16:37:53.223Z\", \"assignerOrgId\": \"df4dee71-de3a-4139-9588-11b62fe6c0ff\", \"datePublished\": \"2026-06-15T15:17:19.607Z\", \"assignerShortName\": \"Fortra\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…