Ivanti Sentry Pre-Auth RCE + Auth Bypass (CVE-2026-10520 / CVE-2026-10523)
by Sonny / watchTowr · 2026-06-28
- Severity
- Critical
- CVE
- CVE-2026-10520, CVE-2026-10523
- Category
- network
- Affected product
- Ivanti Sentry (formerly MobileIron Sentry)
- Affected versions
- Ivanti Sentry ≤ 10.7.0, ≤ 10.6.1, ≤ 10.5.1
- Disclosed
- 2026-06-28
- Patch status
- patched
Tags
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-10520
- https://nvd.nist.gov/vuln/detail/CVE-2026-10523
- https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/
- https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-28 |
| Last Updated | 2026-06-09 |
| Author / Researcher | Sonny / watchTowr |
| CVE / Advisory | CVE-2026-10520, CVE-2026-10523 |
| Category | network |
| Severity | Critical |
| CVSS Score | 10.0 (CVE-2026-10520, CVSSv3); 9.9 (CVE-2026-10523) |
| Status | PoC |
| Tags | pre-auth, RCE, OS-command-injection, Ivanti, Sentry, MICS-API, auth-bypass, admin-creation, CISA-KEV |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Ivanti Sentry (formerly MobileIron Sentry) |
| Versions Affected | Ivanti Sentry ≤ 10.7.0, ≤ 10.6.1, ≤ 10.5.1 |
| Language / Platform | Python (PoC); Linux (target) |
| Authentication Required | No (unauthenticated) |
| Network Access Required | Yes (HTTPS, MICS port) |
Summary
Two critical vulnerabilities in Ivanti Sentry enable unauthenticated root-level RCE and arbitrary admin account creation. CVE-2026-10520 is an OS command injection in the MICS API at /mics/api/v2/sentry/mics-config/handleMessage (CVSS 10.0). CVE-2026-10523 is an authentication bypass allowing unauthenticated creation of arbitrary admin accounts (CVSS 9.9). A PoC published by watchTowr on June 10 triggered in-the-wild exploitation within 24 hours; CISA added both to KEV on June 11, 2026.
Vulnerability Details
Root Cause
CVE-2026-10520: The MICS API endpoint /mics/api/v2/sentry/mics-config/handleMessage fails to authenticate incoming requests and passes attacker-controlled input directly to a shell command without sanitization, enabling unauthenticated root-level OS command injection.
CVE-2026-10523: A separate authentication bypass in the MICS admin interface allows an unauthenticated attacker to call privileged endpoints and create arbitrary administrator accounts on the appliance.
Attack Vector (CVE-2026-10520)
- Send unauthenticated HTTP POST to
/mics/api/v2/sentry/mics-config/handleMessage. - Inject OS command via attacker-controlled parameter in the JSON body.
- Command executes as root on the Ivanti Sentry appliance.
Impact
Full unauthenticated remote code execution as root. Combined with CVE-2026-10523, an attacker can both execute commands and create persistent admin accounts. Exploitation was confirmed in the wild within 24 hours of PoC release. Treat unpatched appliances as fully compromised.
Environment / Lab Setup
Target: Ivanti Sentry ≤ 10.7.0 / 10.6.1 / 10.5.1
Attacker: Python 3 with requests library
Proof of Concept
PoC Script
See
watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523.pyin this folder.
| |
Expected Output (vulnerable)
[+] Sending command execution check to: https://TARGET/mics/api/v2/sentry/mics-config/handleMessage
[+] Target appears to be vulnerable.
Command output:
Linux sentry-host 4.18.0-553.84.1.el8_10.x86_64 ...
Detection & Indicators of Compromise
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade to Ivanti Sentry 10.7.1, 10.6.2, or 10.5.2 |
| Treat as compromised | If unpatched and internet-exposed, assume compromise; audit admin accounts and review MICS logs |
| Ivanti advisory | https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523 |
References
- CVE-2026-10520
- CVE-2026-10523
- watchTowr blog post
- Source repository (watchtowrlabs)
- Ivanti Security Advisory
Notes
Auto-ingested from https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523 on 2026-06-28. Two CVEs ingested as a single entry (same appliance, same watchTowr PoC). PoC published June 10; ITW exploitation confirmed within 24 hours; CISA KEV June 11, 2026.
| |