CVE-2025-13532
📋 TL;DR
Insecure defaults in Fortra's Core Privileged Access Manager (BoKS) Server Agent can lead to the use of weak password hash algorithms, potentially allowing attackers to crack stored passwords more easily. This affects BoKS Server Agent 9.0 instances running in BoKS 8.1 domains that support yescrypt. Organizations using these specific configurations are vulnerable to password hash attacks.
💻 Affected Systems
- Fortra Core Privileged Access Manager (BoKS) Server Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could crack administrative passwords, gain privileged access to the BoKS system, and potentially compromise the entire privileged access management infrastructure.
Likely Case
Attackers with access to password hashes could perform offline cracking attacks against weaker algorithms, potentially compromising individual accounts.
If Mitigated
With strong password policies and proper hash algorithm configuration, the risk is reduced to theoretical attacks requiring significant computational resources.
🎯 Exploit Status
Exploitation requires access to password hashes and knowledge of the weak algorithm being used. This is primarily an offline cracking vulnerability rather than a direct remote exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Fortra advisory for specific patch version
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2025-014
Restart Required: Yes
Instructions:
1. Review Fortra advisory FI-2025-014. 2. Apply the recommended patch from Fortra. 3. Restart BoKS Server Agent services. 4. Verify hash algorithms are configured to use strong standards.
🔧 Temporary Workarounds
Configure Strong Hash Algorithms
linuxManually configure BoKS to use strong password hash algorithms instead of weak defaults
# Consult BoKS documentation for hash algorithm configuration commands specific to your version
🧯 If You Can't Patch
- Implement strict password policies requiring complex, long passwords to increase cracking difficulty
- Monitor for unauthorized access attempts and review authentication logs regularly
🔍 How to Verify
Check if Vulnerable:
Check BoKS Server Agent version and domain configuration. Verify if running Server Agent 9.0 in a BoKS 8.1 domain with yescrypt support.Check Version:
# Use BoKS administrative commands or check installation logs for version informationVerify Fix Applied:
After patching, verify the configured password hash algorithms are using strong standards per BoKS documentation.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with unusual patterns
- Configuration changes to hash algorithms
Network Indicators:
- Unusual authentication traffic patterns to BoKS servers
SIEM Query:
Search for authentication failures or configuration changes related to BoKS hash algorithms