Refine your search
2 vulnerabilities found for Core Privileged Access Manager (BoKS) by Fortra
CVE-2025-13532 (GCVE-0-2025-13532)
Vulnerability from cvelistv5
Published
2025-12-16 20:01
Modified
2025-12-16 20:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-916 - Use of Password Hash With Insufficient Computational Effort
Summary
Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortra | Core Privileged Access Manager (BoKS) |
Version: This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain. The affected platforms are: Debian 11, 12, 13, RedHat 9, 10 and Ubuntu 24. |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T20:18:38.616690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T20:23:51.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Core Privileged Access Manager (BoKS)",
"vendor": "Fortra",
"versions": [
{
"status": "affected",
"version": "This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain. The affected platforms are: Debian 11, 12, 13, RedHat 9, 10 and Ubuntu 24."
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure defaults in the Server Agent component of Fortra\u0027s Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue a\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003effects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain.\u003c/span\u003e"
}
],
"value": "Insecure defaults in the Server Agent component of Fortra\u0027s Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. \u00a0This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T20:01:02.743Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-014"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to BoKS Server Agent 9.0.0.4.\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to BoKS Server Agent 9.0.0.4."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak Password Hash in Core Privileged Access Manager (BoKS)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Configure the OS to use SHA512 rather than yescrypt.\n\n\u003cbr\u003e"
}
],
"value": "Configure the OS to use SHA512 rather than yescrypt."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2025-13532",
"datePublished": "2025-12-16T20:01:02.743Z",
"dateReserved": "2025-11-21T21:04:44.245Z",
"dateUpdated": "2025-12-16T20:23:51.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5141 (GCVE-0-2025-5141)
Vulnerability from cvelistv5
Published
2025-06-17 19:30
Modified
2025-08-29 20:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Summary
A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and Solaris allows low privilege local users to dump data from the cache.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortra | Core Privileged Access Manager (BoKS) |
Version: 0 < Version: 0 < Version: 0 < Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T19:50:23.706281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T19:50:34.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"AIX",
"Solaris"
],
"product": "Core Privileged Access Manager (BoKS)",
"vendor": "Fortra",
"versions": [
{
"lessThanOrEqual": "7.2.0.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.0.22",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1.1.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.0.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Maciej Grabiec, ING Hubs Poland"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A binary in the BoKS Server Agent component of Fortra\u0027s Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and Solaris allows low privilege local users to dump data from the cache."
}
],
"value": "A binary in the BoKS Server Agent component of Fortra\u0027s Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7.2.0.17), 8.1.0 (up to 8.1.0.22), 8.1.1 (up to 8.1.1.7), 9.0.0 (up to 9.0.0.1) and also legacy tar installs of BoKS 7.2 without hotfix #0474 on Linux, AIX, and Solaris allows low privilege local users to dump data from the cache."
}
],
"impacts": [
{
"capecId": "CAPEC-204",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T20:11:13.423Z",
"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"shortName": "Fortra"
},
"references": [
{
"url": "https://www.fortra.com/security/advisories/product-security/fi-2025-008"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the latest patched version or hotfix"
}
],
"value": "Upgrade to the latest patched version or hotfix"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Core Privileged Access Manager (BoKS) Leakage of Sensitive Data via the Cache",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff",
"assignerShortName": "Fortra",
"cveId": "CVE-2025-5141",
"datePublished": "2025-06-17T19:30:51.781Z",
"dateReserved": "2025-05-23T21:18:11.239Z",
"dateUpdated": "2025-08-29T20:11:13.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}