CVE-2026-10520
published 2026-06-09CVE-2026-10520: An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve…
PriorityP197critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-06-14
Exploited in the wild
EPSS
3.28%
87.5th percentile
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Detection & IOCsextracted from sources · hover to see the quote
commandmessage=execute+system+%2Fconfiguration%2Fsystem%2Fcommandexec+%3Ccommandexec%3E%3Cindex%3E1%3C%2Findex%3E%3Creqandres%3Eid%3C%2Freqandres%3E%3C%2Fcommandexec%3E↗
commandmessage=execute%20system%20%2fconfiguration%2fsystem%2fcommandexec%20%3ccommandexec%3e%3cindex%3e1%3c%2findex%3e%3creqandres%3eecho%20CVE-2026-10520%3c%2freqandres%3e%3c%2fcommandexec%3e↗
- →Detect POST requests to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage — any such request from an external/unauthenticated source is suspicious and indicative of CVE-2026-10520 exploitation attempts. ↗
- →Look for the string 'execute system /configuration/system/commandexec' (URL-decoded) in POST body parameters named 'message' — this is the core exploit payload pattern. ↗
- →Alert on HTTP 200 responses from /mics/api/v2/sentry/mics-config/handleMessage containing both 'Message handled successfully' and command output in the body — the Nuclei template uses these as confirmation of successful exploitation. ↗
- →Use the Shodan query 'html:"Ivanti" html:"Sentry"' to identify internet-exposed Ivanti Sentry instances for proactive asset discovery and patch prioritization. ↗
- →Monitor for the XML payload pattern <commandexec><index>...</index><reqandres>...</reqandres></commandexec> in HTTP POST bodies to /mics/api/v2/sentry/mics-config/handleMessage, which is the structure used to inject OS commands. ↗
- →Shadowserver reported active backdooring of exposed Sentry instances within 24 hours of PoC release — treat any unpatched Sentry appliance reachable from the internet as likely compromised and perform forensic triage per CISA BOD 26-04 guidance. ↗
- ·The vulnerability is only externally exploitable when the Sentry appliance is in an unmanaged state with its endpoints externally reachable. Deployments using mTLS with EPMM or restricted HTTPS access through Neurons for MDM are not accessible to external actors. ↗
- ·Affected versions are Ivanti Sentry 10.7.0 and below, 10.6.1 and below, and 10.5.1 and below. Fixed versions are 10.7.1, 10.6.2, and 10.5.2. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CISA
Ivanti Sentry OS Command Injection Vulnerability
cisa·2026-06-11·CVSS 10.0
CVE-2026-10520 [CRITICAL] CWE-78 Ivanti Sentry OS Command Injection Vulnerability
Vulnerability: Ivanti Sentry OS Command Injection Vulnerability
Affected: Ivanti Sentry
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL
Ivanti
Ivanti Security Advisory: CVE-2026-10520
vendor_ivanti·2026-06-09·CVSS 10.0
CVE-2026-10520 [CRITICAL] CWE-78 Ivanti Security Advisory: CVE-2026-10520
Ivanti Security Advisory: CVE-2026-10520
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
CVE IDs: CVE-2026-10520
CVSS Base Score: 10.0
Severity: CRITICAL
CWEs: CWE-78
GHSA
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
ghsa_unreviewed·2026-06-09
CVE-2026-10520 [CRITICAL] CWE-78 An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
VulnCheck
Ivanti Sentry Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 10.0
CVE-2026-10520 [CRITICAL] Ivanti Sentry Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Ivanti Sentry Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Affected: Ivanti Sentry
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://kevintel.com/CVE-2026-10520
Exploit PoC: https://vulncheck.com/xdb/2e22a55ed91f
No detection rules found.
Nuclei
Ivanti Sentry - OS Command Injection
nuclei·CVSS 10.0
CVE-2026-10520 [CRITICAL] Ivanti Sentry - OS Command Injection
Ivanti Sentry - OS Command Injection
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Template:
id: CVE-2026-10520
info:
name: Ivanti Sentry - OS Command Injection
author: DhiyaneshDk
severity: critical
description: |
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
impact: |
Remote unauthenticated attackers can execute code as root, leading to full system compromise.
remediation: |
Upgrade to versions R10.5.2, R10.6.2, or R10.7.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-10520
- https://github.c
Bleepingcomputer
Max severity Ivanti Sentry vulnerability now exploited in attacks
blogs_bleepingcomputer·2026-06-11·CVSS 10.0
CVE-2026-10520 [CRITICAL] Max severity Ivanti Sentry vulnerability now exploited in attacks
## Max severity Ivanti Sentry vulnerability now exploited in attacks
## Sergiu Gatlan
Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways.
Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
While the company said at the time that it had no evidence of in-the-wild exploitation, the Shadowserver nonprofit security organization reported the next d
Rapid7
CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
blogs_rapid7·2026-06-10·CVSS 9.8
CVE-2026-10520 [CRITICAL] CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
## Overview
On June 9, 2026, Ivanti published a security advisory for two critical vulnerabilities affecting Ivanti Sentry (formerly known as MobileIron Sentry), which per the vendor website is an “in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems”. The most severe issue, CVE-2026-10520 , is an OS command injection vulnerability with a CVSS score of 10.0 that allows a remote unauthenticated attacker to achieve remote code execution (RCE) with root privileges. The second vulnerability, CVE-2026-10523 , is an authentication bypass vulnerability with a CVSS score of 9.9 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. Ivanti has stated that they
Hackernews
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
blogs_hackernews·2026-06-10·CVSS 10.0
CVE-2026-25089 [CRITICAL] Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure.
The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It's tracked as CVE-2026-25089 (CVSS score: 9.1).
"An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allo
Bleepingcomputer
Ivanti: Max severity Sentry flaw allows code execution as root
blogs_bleepingcomputer·2026-06-10·CVSS 10.0
CVE-2026-10520 [CRITICAL] Ivanti: Max severity Sentry flaw allows code execution as root
## Ivanti: Max severity Sentry flaw allows code execution as root
## Sergiu Gatlan
Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges.
Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness. The second Sentry security flaw patched on Tuesday (tracked as CVE-2026-10523 ) is a critical authentication bypass that can be exploited remotely by unauthenticated attackers to create rogue admin
2026-06-09
Published
2026-06-11
Added to CISA KEV
Exploited in the wild