Full Report
Remote, unauthenticated RCE with root privileges is about as bad as it gets
Analysis Summary
# Vulnerability: Critical RCE and Auth Bypass in Ivanti Sentry
## CVE Details
- **CVE ID:** CVE-2026-10520, CVE-2026-10523
- **CVSS Score:** 10.0 (Critical) / 9.9 (Critical)
- **CWE:** OS Command Injection (CVE-2026-10520); Authentication Bypass (CVE-2026-10523)
## Affected Systems
- **Products:** Ivanti Sentry (Mobile Gateway)
- **Versions:** Versions prior to 10.5.2, 10.6.2, and 10.7.1.
- **Configurations:** Systems with exposed Apache Tomcat management APIs.
## Vulnerability Description
**CVE-2026-10520 (CVSS 10.0):** This is a critical OS command injection vulnerability. An exposed API endpoint managed by Apache Tomcat incorrectly parses attacker-supplied strings as MICS configuration commands. Because the backend handler operates with elevated permissions, these commands are executed with root-level privileges.
**CVE-2026-10523 (CVSS 9.9):** An authentication bypass vulnerability that allows an unauthenticated user to gain administrative access. This flaw enables attackers to create unauthorized administrator accounts, leading to full control over the mobile gateway.
## Exploitation
- **Status:** PoC availability (Analysis published by third-party researchers); No known exploitation in the wild at the time of disclosure.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Root access/Admin privileges)
- **Integrity:** Total (Ability to modify configurations and system files)
- **Availability:** Total (Potential for system shutdown or disruption of mobile services)
## Remediation
### Patches
Ivanti has released the following versions to address these vulnerabilities:
- **Ivanti Sentry 10.5.2**
- **Ivanti Sentry 10.6.2**
- **Ivanti Sentry 10.7.1**
### Workarounds
- **Network Filtering:** Restrict access to the Apache Tomcat management interface to internal, trusted networks only.
- **Access Control:** Update Apache configuration rules to explicitly block unauthenticated access to sensitive API endpoints (as implemented in the official patch).
## Detection
- **Indicators of Compromise:** Large or unusual MICS configuration commands logged in the backend; creation of unauthorized local administrator accounts.
- **Detection Methods and Tools:** Review Apache Tomcat access logs for unexpected external requests to management APIs. Monitor for unauthorized root-level process execution.
## References
- **Vendor Advisory:** hxxps[://]hub[.]ivanti[.]com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523
- **Technical Analysis:** hxxps[://]labs[.]watchtowr[.]com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/