CVE-2026-10523
published 2026-06-09CVE-2026-10523: An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.19%
98.7th percentile
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | standalone_sentry | < 10.5.2 | 10.5.2 |
| ivanti | standalone_sentry | — | — |
| ivanti | standalone_sentry | >= 10.6.0 < 10.6.2 | 10.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandmessage=execute+system+%2Fconfiguration%2Fsystem%2Fcommandexec+%3Ccommandexec%3E%3Cindex%3E1%3C%2Findex%3E%3Creqandres%3Eid%3C%2Freqandres%3E%3C%2Fcommandexec%3E↗
commandmessage=execute%20system%20%2fconfiguration%2fsystem%2fcommandexec%20%3ccommandexec%3e%3cindex%3e1%3c%2findex%3e%3creqandres%3eecho%20CVE-2026-10520%3c%2freqandres%3e%3c%2fcommandexec%3e↗
- →Detect unauthenticated POST requests to the vulnerable handleMessage endpoint; the request body contains the pattern 'execute system /configuration/system/commandexec' with attacker-controlled XML payload in the 'message' parameter. ↗
- →Alert on HTTP 200 responses to POST /mics/api/v2/sentry/mics-config/handleMessage containing both 'Message handled successfully' and command output in the body, indicating successful exploitation. ↗
- →Exploitation is viable when the Sentry appliance is in an unmanaged state with its endpoints externally reachable; prioritize detection/blocking for internet-exposed Sentry instances not protected by mTLS with EPMM. ↗
- →Content-Type: application/x-www-form-urlencoded is used in the exploit POST request; combine with the target path and unauthenticated source to tune detection rules. ↗
- ·No indicators of compromise are currently available from the vendor; Ivanti has confirmed no known in-the-wild exploitation at time of disclosure. ↗
- ·A public PoC exploit for the related CVE-2026-10520 (OS command injection) was published by watchTowr on June 10, 2026; exploitation in-the-wild is considered likely to begin imminently, which may affect the threat posture for CVE-2026-10523 as well. ↗
- ·Ivanti Sentry has been targeted by threat actors before (CVE-2023-38035 and CVE-2020-15505 both appeared on CISA KEV), indicating high likelihood of future exploitation of this product line. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Ivanti Sentry OS Command Injection Vulnerability
cisa·2026-06-11·CVSS 10.0
CVE-2026-10520 [CRITICAL] CWE-78 Ivanti Sentry OS Command Injection Vulnerability
Vulnerability: Ivanti Sentry OS Command Injection Vulnerability
Affected: Ivanti Sentry
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL
Ivanti
Ivanti Security Advisory: CVE-2026-10523
vendor_ivanti·2026-06-09·CVSS 9.9
CVE-2026-10523 [CRITICAL] CWE-288 Ivanti Security Advisory: CVE-2026-10523
Ivanti Security Advisory: CVE-2026-10523
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
CVE IDs: CVE-2026-10523
CVSS Base Score: 9.9
Severity: CRITICAL
CWEs: CWE-288
GHSA
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts
ghsa_unreviewed·2026-06-09
CVE-2026-10523 [CRITICAL] CWE-288 An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
No detection rules found.
Nuclei
Ivanti Sentry - OS Command Injection
nuclei·CVSS 10.0
CVE-2026-10520 [CRITICAL] Ivanti Sentry - OS Command Injection
Ivanti Sentry - OS Command Injection
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Template:
id: CVE-2026-10520
info:
name: Ivanti Sentry - OS Command Injection
author: DhiyaneshDk
severity: critical
description: |
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
impact: |
Remote unauthenticated attackers can execute code as root, leading to full system compromise.
remediation: |
Upgrade to versions R10.5.2, R10.6.2, or R10.7.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-10520
- https://github.c
Rapid7
CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
blogs_rapid7·2026-06-10·CVSS 9.8
CVE-2026-10520 [CRITICAL] CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry
## Overview
On June 9, 2026, Ivanti published a security advisory for two critical vulnerabilities affecting Ivanti Sentry (formerly known as MobileIron Sentry), which per the vendor website is an “in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems”. The most severe issue, CVE-2026-10520 , is an OS command injection vulnerability with a CVSS score of 10.0 that allows a remote unauthenticated attacker to achieve remote code execution (RCE) with root privileges. The second vulnerability, CVE-2026-10523 , is an authentication bypass vulnerability with a CVSS score of 9.9 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. Ivanti has stated that they
Hackernews
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
blogs_hackernews·2026-06-10·CVSS 10.0
CVE-2026-25089 [CRITICAL] Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure.
The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It's tracked as CVE-2026-25089 (CVSS score: 9.1).
"An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allo
Bleepingcomputer
Ivanti: Max severity Sentry flaw allows code execution as root
blogs_bleepingcomputer·2026-06-10·CVSS 10.0
CVE-2026-10520 [CRITICAL] Ivanti: Max severity Sentry flaw allows code execution as root
## Ivanti: Max severity Sentry flaw allows code execution as root
## Sergiu Gatlan
Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges.
Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness. The second Sentry security flaw patched on Tuesday (tracked as CVE-2026-10523 ) is a critical authentication bypass that can be exploited remotely by unauthenticated attackers to create rogue admin
2026-06-09
Published