A critical pre-authentication OS command injection vulnerability in Ivanti Sentry allows remote attackers to execute arbitrary commands as root via a single crafted HTTP POST request. Within 40 hours of watchTowr's public proof-of-concept, the Shadowserver Foundation observed large-scale exploitation attempts and confirmed compromises. CISA added CVE-2026-10520 to its KEV catalog. A companion authentication bypass (CVE-2026-10523) enables unauthenticated admin account creation. Patch to R10.5.2, R10.6.2, or R10.7.1 immediately.
CVE-2026-10520TA2026166CWE-78 / CWE-288R10.5.2 / R10.6.2 / R10.7.1CVE-2026-10520 is a critical pre-authentication OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry), classified as CWE-78. It allows remote, unauthenticated attackers to execute arbitrary commands as root through a single crafted HTTP request. Exploitation requires only access to the Sentry management interface on port 8443.
Although no active exploitation was reported at disclosure, the release of a public proof-of-concept by watchTowr on June 10, 2026 rapidly triggered large-scale attack attempts. The Shadowserver Foundation identified multiple vulnerable instances with at least two confirmed compromises. CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities catalog. A companion flaw, CVE-2026-10523 (CWE-288), allows unauthenticated attackers to bypass authentication and create administrative accounts, granting full gateway control without credentials.
All Ivanti Sentry versions before R10.5.2, R10.6.2, and R10.7.1 are affected. Given that gateways were backdoored within roughly 40 hours of the public PoC, any unpatched internet-reachable instance should be treated as compromised.
| CVE ID | Vulnerability Name | Affected Products | Affected CPE | CWE | Zero-Day | CISA KEV | Patch |
|---|---|---|---|---|---|---|---|
CVE-2026-10520 |
Ivanti Sentry OS Command Injection Vulnerability | Ivanti Sentry before R10.5.2 / R10.6.2 / R10.7.1 |
cpe:2.3:a:ivanti:standalone_sentry:*:*:*:*:*:*:*:* |
CWE-78 |
✗ No | ✓ Yes | ✓ Yes |
CVE-2026-10523 |
Ivanti Sentry OS Authentication Bypass Vulnerability | Ivanti Sentry before R10.5.2 / R10.6.2 / R10.7.1 |
cpe:2.3:a:ivanti:standalone_sentry:*:*:*:*:*:*:*:* |
CWE-288 |
✗ No | ✗ No | ✓ Yes |
/mics application context. The vulnerable endpoint /mics/api/v2/sentry/mics-config/handleMessage accepts a user-controlled message parameter and passes it to a backend configuration process without adequate validation. An attacker can inject commands executed on the appliance with root-level privileges.command-exec XML payload. Security researchers confirmed arbitrary command execution with output returned directly in the application's JSON response. A companion vulnerability, CVE-2026-10523 (CWE-288), allows unauthenticated attackers to bypass authentication and create administrative accounts, granting full gateway control without valid credentials.R10.5.2, R10.6.2, and R10.7.1 are affected. Ivanti's fix replaced the vulnerable user-controlled execution path with a hardcoded command and added authentication controls via Apache configuration rules. Exploitation requires access to the management interface on port 8443, which should not be exposed to the public internet. Deployments protected by mTLS and restricted management access face significantly lower risk.handleMessage endpoint with commandexec payloads. Gateways were backdoored within roughly 40 hours of the public PoC.R10.5.2, R10.6.2, or R10.7.1 — immediately. The latest version is downloadable from within NMDM under Admin > Infrastructure > Sentry. Patching is the only complete remediation: it removes attacker control over the command-execution path and adds an authentication gate in front of the vulnerable endpoint./mics/api/v2/sentry/mics-config/handleMessage. If compromise is confirmed, rebuild from a known-good image and rotate all credentials and secrets accessible to the gateway.8443) is not reachable from the internet — the vendor states this access is required for exploitation. Enforce mTLS with EPMM or restricted HTTPS access through Neurons for MDM so management interfaces are inaccessible to external actors. Place the appliance behind appropriate network controls.handleMessage endpoint and for commandexec / reqandres payload patterns. Alert on anomalous command output in Sentry JSON responses. Use watchTowr's published Detection Artefact Generator to validate whether instances remain exposed. Monitor for newly created administrative accounts on the gateway.| Tactic | Technique | Sub-technique & Notes |
|---|---|---|
| Initial Access | T1190 |
Exploit Public-Facing Application — unauthenticated HTTP POST to /mics/api/v2/sentry/mics-config/handleMessage with commandexec XML payload |
| Execution | T1059 |
Command and Scripting Interpreter — injected OS commands executed as root on the Sentry appliance; output returned in JSON response |
| Persistence | T1136 |
Create Account — CVE-2026-10523 auth bypass used to create unauthorized administrative accounts on the gateway |
| Resource Dev | T1588 |
T1588.006 Vulnerabilities — public PoC published by watchTowr on June 10, 2026; rapidly weaponized for large-scale scanning and exploitation |
