Ivanti Sentry CVE-2026-10520 (CVSS 10.0) RCE

Ivanti has released urgent security patches to address a cluster of critical vulnerabilities, including an unauthenticated Remote Code Execution (RCE) flaw tracked as CVE-2026-10520, affecting its Sentry gateway appliances. This vulnerability, carrying a maximum CVSS score of 10.0, allows a remote, unauthenticated attacker to execute arbitrary commands with root-level privileges on the appliance. The immediate disclosure follows full analysis and a publicly available Proof-of-Concept (PoC) exploit from watchTowr Labs.

Alongside CVE-2026-10520, an authentication bypass vulnerability, CVE-2026-10523, has also been addressed. This flaw has a CVSS score of 9.9 and enables a remote unauthenticated attacker to create arbitrary administrative accounts, thereby obtaining full administrative access to the Ivanti Sentry system. Both vulnerabilities pose a serious threat to organizational security due to their severity and ease of exploitation.

Despite the public availability of exploit code, corporate threat intelligence analysts had not spotted real-world exploitation campaigns at the time of disclosure. Ivanti explicitly stated: "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure." However, the existence of a public PoC significantly lowers the technical barrier for malicious actors, requiring immediate remediation actions.

What is the impact of CVE-2026-10520 and CVE-2026-10523?

The combined impact of CVE-2026-10520 and CVE-2026-10523 is severe, potentially leading to full administrative takeover of affected Ivanti Sentry gateway appliances. An attacker successfully exploiting CVE-2026-10520 gains root-level remote code execution capability on the underlying operating system. This level of access grants complete control over the device, allowing for data exfiltration, service disruption, or further lateral movement within an affected network.

Organizations relying on Ivanti Sentry as a secure corporate traffic gateway are at direct risk. These appliances are typically deployed at network perimeters to manage and secure access to internal resources, making them high-value targets. A compromise of such a device could effectively bypass an organization's primary security controls, exposing internal networks and sensitive data to attackers.

The CVE-2026-10523 authentication bypass compounds this risk by providing an alternative path to administrative control. An attacker exploiting this vulnerability can create arbitrary administrative accounts. With full administrative access, an attacker could reconfigure the gateway, disrupt operations, or use the device as a pivot point for broader attacks. The direct threat to infrastructure integrity and data confidentiality requires urgent attention from security teams. The criticality is shown by the CVSS score of 10.0 for CVE-2026-10520 and 9.9 for CVE-2026-10523, both indicating maximum severity.

How are CVE-2026-10520 and CVE-2026-10523 exploited?

CVE-2026-10520 is an OS command injection vulnerability, and CVE-2026-10523 is an authentication bypass. Both flaws affect Ivanti Sentry gateway appliances and can be exploited by remote, unauthenticated adversaries. These vulnerabilities collectively allow for significant compromise without requiring prior access or credentials.

Exploitation Chain Details

  • CVE-2026-10520 (OS Command Injection):
  • Attack Vector: This vulnerability manifests as an OS command injection flaw within an unspecified input handler. The handler fails to properly sanitize user-supplied parameters before passing them to internal shell layers for execution.
  • Preconditions: Exploitation of CVE-2026-10520 does not require authentication. A remote, unauthenticated attacker can send specially crafted input to a vulnerable Ivanti Sentry appliance.
  • Impact of Exploitation: Successful exploitation allows the attacker to execute arbitrary malicious code with root-level privileges on the Ivanti Sentry appliance. This grants the highest possible level of control over the system.
  • Public PoC: WatchTowr Labs researchers have published full analysis and a publicly disclosed PoC exploit script available on GitHub. The existence of this PoC significantly lowers the technical expertise required for exploitation, increasing the likelihood of broader attacks. For more context on the rapid development of public exploits for critical vulnerabilities, refer to our prior analysis of CVE-2026-8633.
  • CVE-2026-10523 (Authentication Bypass):
  • Attack Vector: This flaw resides within the authentication subsystem of Ivanti Sentry. It allows a remote, unauthenticated attacker to bypass standard authentication mechanisms.
  • Preconditions: Similar to CVE-2026-10520, no prior authentication is required. An attacker can directly interact with the vulnerable authentication component.
  • Impact of Exploitation: Successful exploitation allows an attacker to create arbitrary administrative accounts on the Ivanti Sentry appliance. This grants full administrative access, enabling configuration changes, unauthorized monitoring, or further system manipulation. This bypass could facilitate further exploitation or provide persistent access even if the RCE path is somehow blocked.

The public availability of the PoC for both vulnerabilities increases the immediate threat level, as it provides malicious actors with the tools necessary to develop and deploy exploits quickly. This situation mirrors other critical RCE flaws with publicly available exploits, such as those detailed in our post on CVE-2026-20245.

Which products and versions are affected?

The vulnerabilities CVE-2026-10520 and CVE-2026-10523 impact Ivanti Sentry gateway appliances. Specifically, these flaws affect all versions of Ivanti Sentry prior to the patched releases. Ivanti released urgent software maintenance updates to address these issues.

Affected product:

  • Ivanti Sentry gateway appliances

Affected versions:

  • All versions of Ivanti Sentry prior to the following patched versions:
  • 10.5.2
  • 10.6.2
  • 10.7.1

Organizations running any version of Ivanti Sentry older than 10.5.2, 10.6.2, or 10.7.1 are exposed to these remote code execution and authentication bypass vulnerabilities. Identifying and patching all vulnerable instances within the network perimeter is important for maintaining security.

How can these vulnerabilities be detected?

Detection efforts for CVE-2026-10520 and CVE-2026-10523 should focus on auditing Ivanti Sentry appliance logs and network telemetry for anomalous activities indicative of exploitation attempts or successful compromise. Given the nature of these vulnerabilities (OS command injection and authentication bypass), a range of indicators may be present.

Detection guidance includes:

  • Use the Detection Artefact Generator: Ivanti has provided a "Detection Artefact Generator" tool. This tool should be used immediately to audit the infrastructure state of all Ivanti Sentry deployments. Specific outputs or checks from this tool should be integrated into regular security monitoring processes.
  • Log Analysis for Unexpected Commands:
  • Monitor system logs on Ivanti Sentry appliances for the execution of unusual or unauthorized commands. Focus on shell command execution logs, if available, or process creation events.
  • Look for commands that are not part of standard operational procedures or administrative scripts. This could include reverse shell commands, file transfers, or unauthorized configuration changes.
  • Authentication Log Review:
  • Scrutinize authentication logs for the creation of new, unrecognized administrative accounts, especially those created without a corresponding, legitimate administrative action.
  • Monitor for failed or successful login attempts from unusual source IP addresses or at atypical times.
  • Review access patterns to ensure only authorized personnel and systems are attempting authentication to Ivanti Sentry interfaces.
  • Network Indicators:
  • Monitor network traffic to and from Ivanti Sentry appliances for suspicious patterns. This includes unexpected outbound connections (e.g., to external C2 servers, unauthorized data exfiltration), particularly over non-standard ports or protocols.
  • Analyze traffic for payloads that match known PoC signatures or indicative OS command injection attempts. This requires deep packet inspection capabilities.
  • Look for large or unusual data transfers from the appliance, which could signal data exfiltration.
  • Integrity Monitoring:
  • Implement file integrity monitoring (FIM) on critical system files and directories of the Ivanti Sentry appliance. Alert on any unauthorized modifications, creations, or deletions of files.
  • Monitor configuration files for changes that deviate from established baselines.
  • EDR/XDR Integration (if applicable):
  • If Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions are deployed on systems interacting with or monitoring the Ivanti Sentry appliances, configure them to alert on process anomalies, unusual system calls, or suspicious network connections originating from or targeting the gateway.

Regularly auditing all associated logs and infrastructure state is important, especially for internet-facing or critical infrastructure components like Ivanti Sentry.

What are the remediation steps for Ivanti Sentry?

Remediation for CVE-2026-10520 and CVE-2026-10523 requires immediate action to prevent exploitation, given the severity of these vulnerabilities and the public availability of a Proof-of-Concept. The primary remediation strategy involves applying the official patches released by Ivanti.

Remediation includes:

  • Apply Patches Immediately:
  • Organizations running vulnerable Ivanti Sentry systems must upgrade to the patched versions without delay. The specific patch versions are:
  • Ivanti Sentry version 10.5.2
  • Ivanti Sentry version 10.6.2
  • Ivanti Sentry version 10.7.1
  • Follow Ivanti's official documentation and advisory for the correct upgrade procedure to ensure a successful and secure update.

Ivanti has not published specific workarounds for these vulnerabilities beyond applying the patches. Given the critical nature and unauthenticated attack vector, immediate patching is the only recommended full mitigation. If immediate patching is not immediately feasible, organizations should consider temporarily restricting network access to the Ivanti Sentry administration interfaces from untrusted networks, only allowing access from secure management subnets. This is a temporary measure and does not eliminate the vulnerability.

  • Post-Patch Verification and Monitoring:
  • After applying the patches, use the newly available Detection Artefact Generator tool from Ivanti to audit the infrastructure state. This helps verify that the system is secure and not already compromised.
  • Continue to monitor logs for any signs of attempted or past exploitation. Review authentication logs for any unauthorized administrative accounts that may have been created by exploiting CVE-2026-10523. These accounts must be removed immediately.
  • Verify localized access permissions across your environment to ensure that enterprise perimeters remain resilient against potential outside intrusions.
  • Regularly review the security posture of Ivanti Sentry deployments.

Rapid application of these patches is important to mitigate the risk of compromise.

Technical Takeaways

  • CVE-2026-10520 is an unauthenticated OS command injection vulnerability in Ivanti Sentry with a CVSS score of 10.0, enabling root-level Remote Code Execution.
  • CVE-2026-10523 is an unauthenticated authentication bypass vulnerability in Ivanti Sentry with a CVSS score of 9.9, allowing arbitrary administrative account creation and full administrative access.
  • Both vulnerabilities affect all versions of Ivanti Sentry prior to versions 10.5.2, 10.6.2, and 10.7.1.
  • Publicly available Proof-of-Concept (PoC) exploit code has been released by watchTowr Labs, increasing immediate exploitability risk.
  • Ivanti has not reported any in-the-wild exploitation at the time of disclosure, but the public PoC requires urgent patching.
  • Remediation requires immediate upgrade to Ivanti Sentry versions 10.5.2, 10.6.2, or 10.7.1, alongside post-patch auditing using Ivanti's Detection Artefact Generator and continuous security monitoring.