Impact
The vulnerability is a command injection flaw in the client upgrade and patch tooling for legacy tar‑based installations of Fortra Core Privileged Access Manager (BoKS). An attacker who can influence the client selected for upgrade or patching may inject arbitrary operating‑system commands that execute on the BoKS Master during client version handling, enabling remote code execution. This weakness is reflected in CWE‑78.
Affected Systems
The affected product is Fortra Core Privileged Access Manager (BoKS) with legacy tar‑based client installations. All releases before the fixed versions boks‑server 8.1.0.23 and 9.0.0.5 are vulnerable, irrespective of the underlying operating system.
Risk and Exploitability
The CVSS score of 7.5 signals high severity, while the EPSS score of less than 1 % indicates a low but non‑zero exploitation probability. Because the flaw can be triggered by selecting a compromised client for upgrade, it can be abused remotely by an adversary with network access to the BoKS Master. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread use at the time of this advisory.
OpenCVE Enrichment