cbcvebase.
CVE-2026-10523
published 2026-06-09

CVE-2026-10523: An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.19%
98.7th percentile
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantistandalone_sentry< 10.5.210.5.2
ivantistandalone_sentry
ivantistandalone_sentry>= 10.6.0 < 10.6.210.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/mics/api/v2/sentry/mics-config/handleMessage
commandmessage=execute+system+%2Fconfiguration%2Fsystem%2Fcommandexec+%3Ccommandexec%3E%3Cindex%3E1%3C%2Findex%3E%3Creqandres%3Eid%3C%2Freqandres%3E%3C%2Fcommandexec%3E
commandmessage=execute%20system%20%2fconfiguration%2fsystem%2fcommandexec%20%3ccommandexec%3e%3cindex%3e1%3c%2findex%3e%3creqandres%3eecho%20CVE-2026-10520%3c%2freqandres%3e%3c%2fcommandexec%3e
othershodan-query: html:"Ivanti" html:"Sentry"
  • Detect unauthenticated POST requests to the vulnerable handleMessage endpoint; the request body contains the pattern 'execute system /configuration/system/commandexec' with attacker-controlled XML payload in the 'message' parameter.
  • Alert on HTTP 200 responses to POST /mics/api/v2/sentry/mics-config/handleMessage containing both 'Message handled successfully' and command output in the body, indicating successful exploitation.
  • Exploitation is viable when the Sentry appliance is in an unmanaged state with its endpoints externally reachable; prioritize detection/blocking for internet-exposed Sentry instances not protected by mTLS with EPMM.
  • Content-Type: application/x-www-form-urlencoded is used in the exploit POST request; combine with the target path and unauthenticated source to tune detection rules.
  • ·No indicators of compromise are currently available from the vendor; Ivanti has confirmed no known in-the-wild exploitation at time of disclosure.
  • ·A public PoC exploit for the related CVE-2026-10520 (OS command injection) was published by watchTowr on June 10, 2026; exploitation in-the-wild is considered likely to begin imminently, which may affect the threat posture for CVE-2026-10523 as well.
  • ·Ivanti Sentry has been targeted by threat actors before (CVE-2023-38035 and CVE-2020-15505 both appeared on CISA KEV), indicating high likelihood of future exploitation of this product line.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.