Vulnerability Detail
Enriched intelligence for a single CVE
Critical
CVE-2020-15505
PUBLISHEDA remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3,...
- Vendor
- MobileIron
- Product
- Core & Connector, Sentry, Monitor and Reporting Database (RDB)
- Published
- Jul 07, 2020
- EPSS
- 94.4% · 100% pctl
Automate This Intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
Weaknesses (CWE)
-
Use of Incorrectly-Resolved Name or Reference
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:P/I:P/A:P
Exploitation Status
Exploited in the wild
Recorded 2021-11-03 00:00:00 UTC · CISA
Proof of concept available
Recorded 2025-04-28 15:02:08 UTC · Nuclei Templates
References
- https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
- https://www.mobileiron.com/en/blog/mobileiron-security-updates-available
- https://perchsecurity.com/perch-news/cve-spotlight-mobileiron-rce-cve-2020-15505/
- http://packetstormsecurity.com/files/161097/MobileIron-MDM-Hessian-Based-Java-Deserialization-Remote-Code-Execution.html
- https://cwe.mitre.org/data/definitions/41.html
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA First | 2021-11-03 00:00 UTC |
| The Shadowserver (via CIRCL) | 2026-05-31 00:00 UTC |
| Rapid7 | 2026-06-12 09:21 UTC |
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/mobileiron_mdm_hessian_rce.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-15505.yaml | Apr 25, 2025 |
Recent Mentions
Rapid7 · Jun 10, 2026
OverviewOn June 9, 2026, Ivanti published a security advisory for two critical vulnerabilities affecting Ivanti Sentry (formerly known as MobileIron Sentry), which per the vendor website is an “in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems”. The most severe issue, CVE-2026-10520, is an OS command injection vulnerability with a CVSS score of 10.0 that allows a remote unauthenticated attacker to achieve remote code execution (RCE) with root privileges. The second vulnerability, CVE-2026-10523, is an authentication bypass vulnerability with a CVSS score of 9.9 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. Ivanti has stated that they are not aware of any customers being exploited by either of these vulnerabilities at the time of disclosure. CVECVSSv3.1CWECVE-2026-1052010.0 (Critical)OS Command Injection (CWE-78)CVE-2026-105239.9 (Critical)Authentication Bypass Using an Alternate Path or Channel (CWE-288)On June 10, 2026, watchTowr published a technical analysis of CVE-2026-10520 that includes a proof-of-concept (PoC) exploit for unauthenticated RCE. Given the trivial nature of exploitation and the availability of a public PoC, exploitation in-the-wild is likely to begin. Ivanti Sentry has featured on the CISA KEV list twice in the past (for the vulnerabilities CVE-2023-38035 and CVE-2020-15505), so we know threat actors will likely target this product. Organizations running affected versions of Ivanti Sentry should remediate these issues on an urgent basis before exploitation in-the-wild begins.Technical overview for CVE-2026-10520Based upon the technical analysis by watchTowr, CVE-2026-10520 resides in the ConfigServiceController class within the Sentry web application, which is accessible via a POST request to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage.The handleMessage endpoint...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
nuclei · Created Unknown
Timeline
-
KEV confirmed by Rapid7
-
KEV confirmed by The Shadowserver (via CIRCL)
-
Detected by Metasploit
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Added to KEVIntel
-
CVE Published to Public
-
CVE ID Reserved