Ivanti disclosed on June 9, 2026 that CVE-2026-10520, an OS command injection flaw in Ivanti Sentry, allows a remote, unauthenticated attacker to execute commands as root. It carries the maximum CVSS 10.0. A second bug disclosed the same day, CVE-2026-10523 (CVSS 9.9), is an authentication bypass that lets an attacker mint arbitrary administrative accounts. Ivanti said it knew of no exploitation at disclosure. That window closed fast: watchTowr published a working PoC on June 10, CISA added CVE-2026-10520 to its KEV catalog on June 11 with a June 14 federal patch deadline, and exploitation reports followed. If you run Sentry, this is a drop-everything patch.

What Sentry is, and why this hurts

Ivanti Sentry — formerly MobileIron Sentry — is an in-line gateway that brokers, encrypts, and secures traffic between mobile devices and back-end enterprise systems (Exchange, SharePoint, internal apps). It sits at the network edge and holds trust relationships with identity and device-management infrastructure. Root on the appliance is not a single-host problem; it is a foothold into the systems Sentry fronts and the credentials it stores.

This product has a track record. MobileIron/Ivanti Sentry has landed on CISA KEV twice before — CVE-2023-38035 and CVE-2020-15505 — both exploited in the wild. Threat actors know this attack surface.

Technical details

Per watchTowr’s analysis, the bug lives in the ConfigServiceController class and is reachable through an unauthenticated POST to:

1

/mics/api/v2/sentry/mics-config/handleMessage

The endpoint accepts a message parameter that it parses as an internal configuration command. One of those command paths funnels attacker input straight into an OS command executed as root, with no meaningful neutralization (CWE-78). The public PoC drives the commandexec path directly — here decoded from the wire format:

1
2

message=execute system /configuration/system/commandexec
        <commandexec><index>1</index><reqandres>id</reqandres></commandexec>

Swap id for anything you like and it runs as root. No credentials, no user interaction, network-reachable. That combination is why this rates a clean 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), and why a single HTTP request is enough.

Affected and fixed versions

Vulnerable:

  • Ivanti Sentry 10.7.0 and below
  • Ivanti Sentry 10.6.1 and below
  • Ivanti Sentry 10.5.1 and below

Fixed:

  • Ivanti Sentry 10.7.1
  • Ivanti Sentry 10.6.2
  • Ivanti Sentry 10.5.2

The same releases remediate both CVE-2026-10520 and CVE-2026-10523.

What to do right now

Patch out of band. Upgrade to 10.7.1, 10.6.2, or 10.5.2. The PoC is public on GitHub and exploitation is no longer hypothetical — the normal maintenance window does not apply here. Prioritize any Sentry that is internet-facing.

Shrink exposure if you cannot patch immediately. Restrict reachability of the management and /mics/ API surface to trusted administrative networks, and put Sentry behind segmentation so it is not directly internet-exposed. Edge filtering is a stopgap, not a fix.

Hunt for compromise. Treat any unpatched internet-exposed appliance as suspect. Concrete indicators:

  • POST requests to /mics/api/v2/sentry/mics-config/handleMessage, especially with a message body referencing commandexec.
  • Unexpected child processes spawned by the Sentry web application, or outbound connections from the appliance.
  • New local users or administrative accounts (CVE-2026-10523), new scheduled tasks, startup scripts, or modified binaries.

If you find evidence of exploitation, treat the box as fully compromised: rotate every credential it touched — directory binds, integration secrets, certificates — and rebuild from a known-good image rather than cleaning in place. Root RCE on an identity-adjacent gateway turns into a lateral-movement and credential-theft problem quickly.

References