CVE-2025-13532 is a vulnerability identified in Fortra's Core Privileged Access Manager (BoKS), specifically affecting the Server Agent component version 9.0 when deployed within a BoKS 8.1 domain. The root cause is insecure default settings that permit the selection of weak password hash algorithms, undermining the cryptographic strength of stored password hashes. The affected systems run on popular Linux distributions including Debian versions 11 through 13, RedHat versions 9 and 10, and Ubuntu 24. The vulnerability is classified under CWE-916, which relates to the use of password hashes with insufficient computational effort, making them susceptible to faster brute-force or dictionary attacks. The CVSS v3.1 base score is 6.2 (medium), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no direct effect on integrity or availability. The presence of yescrypt support in the Server Agent is relevant because yescrypt is a password hashing algorithm designed to be computationally intensive; however, insecure defaults may cause fallback or selection of weaker algorithms. No patches or exploits are currently documented, but the risk remains due to the sensitive nature of privileged access management systems. Organizations using Fortra BoKS in these environments should be aware that weak password hashes can facilitate credential compromise, potentially leading to unauthorized access to critical systems.

For European organizations, the compromise of password hashes in privileged access management systems like Fortra BoKS can have severe consequences. Confidentiality breaches could lead to unauthorized access to highly sensitive administrative accounts, enabling lateral movement, data exfiltration, or disruption of critical infrastructure. Since the vulnerability affects widely used Linux distributions common in enterprise environments, the attack surface is significant. The lack of required privileges or user interaction lowers the barrier for exploitation by insiders or attackers with local access. This risk is amplified in sectors such as finance, energy, telecommunications, and government, where privileged access management is crucial. The medium severity score indicates a moderate but non-negligible risk that must be addressed promptly to prevent escalation. Failure to mitigate could result in regulatory penalties under GDPR if personal data is exposed due to compromised credentials.

To mitigate CVE-2025-13532, organizations should: 1) Review and update the configuration of Fortra BoKS Server Agent to enforce the use of strong, computationally intensive password hashing algorithms, avoiding insecure defaults. 2) Apply any available patches or updates from Fortra as soon as they are released. 3) Conduct a thorough audit of privileged account password hashes to identify weak hashes and rotate credentials accordingly. 4) Limit local access to BoKS Server Agent hosts to trusted personnel only, reducing the attack surface. 5) Implement monitoring and alerting for suspicious authentication or hash extraction activities. 6) Harden the underlying Linux systems (Debian, RedHat, Ubuntu) by following best practices for privilege separation and access control. 7) Engage with Fortra support to confirm if additional security controls or configuration guidance are available. 8) Consider multi-factor authentication for privileged access to reduce reliance on password hashes alone. These steps go beyond generic advice by focusing on configuration hardening, credential hygiene, and operational controls specific to the affected product and environment.