Security
Ivanti Sentry CVE-2026-10520 and CVE-2026-10523: unauthenticated RCE and admin bypass, PoC published
- Category: Security
- Status: confirmed
- Sources: Ivanti advisory, Help Net Security, watchTowr PoC
- Summary: Ivanti published a security advisory on 2026-06-09 for two critical vulnerabilities in Ivanti Sentry. CVE-2026-10520 (CVSS 10.0) is an OS command injection flaw in the admin API allowing a remote unauthenticated attacker to achieve root-level remote code execution; it affects Sentry 10.7.0 and earlier. CVE-2026-10523 (CVSS 9.9) is an authentication bypass allowing an unauthenticated attacker to create arbitrary administrative accounts on a vulnerable device. Both are fixed in Sentry 10.5.2, 10.6.2, and 10.7.1. Ivanti reported no known customer exploitation at time of disclosure; watchTowr published a working PoC exploit for CVE-2026-10520 on 2026-06-10.
- Why it matters: A public PoC for unauthenticated root RCE makes exploitation imminent for unpatched Sentry deployments; update to fixed versions immediately or restrict external network access to the Sentry admin interface.
- Follow-up: Watch for CISA KEV addition and active exploitation reports.