OS Command Injection in Fortra Core Privileged Access Manager (BoKS) boks_autoregisterd

Successful exploitation allows a remote unauthenticated attacker with network access to the boks_autoregisterd service to execute arbitrary OS commands with the privileges of that service. Based on the provided CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can have high impact on confidentiality, integrity, and availability, including system compromise within the service's privilege boundary, unauthorized data access or modification, and service disruption.

Until fixed builds are deployed, restrict network access to boks_autoregisterd, which listens on port 6507 by default, to only strictly necessary trusted hosts or networks. As a workaround for both boks-server 8.1 and 9.0, disable the service in the boksinit configuration. On the BoKS Master, edit $BOKS_var/internal/boksinit/master and comment out the line autoregisterd:300:1:0:respawn::$BOKS_lib/boks_autoregisterd -xn by prefixing it with #; then force boks_init to reread the file, for example with kill -HUP $(cat $BOKS_var/run/boks_init), or restart BoKS. This stops boks_autoregisterd and prevents it from being respawned, though autoregistration remains unavailable until the configuration entry is restored.

Apply the vendor-provided fixed builds referenced by Fortra advisory FI-2026-007 as soon as they are available and appropriate for the deployed BoKS version. Validate that the vulnerable boks_autoregisterd component is updated across affected systems and confirm the service is no longer exposed in a vulnerable state after patching.