New at Horizon3.ai

Mythos has collapsed the attack path. | Learn how to prove your defenses now. →

CVE-2026-10520

Ivanti Sentry Pre-Authenticated OS Command Injection Vulnerability | 

Ivanti Sentry contains a critical pre-authenticated OS command injection vulnerability, tracked as CVE-2026-10520, that allows unauthenticated remote attackers to execute arbitrary operating system commands as root on vulnerable appliances. The flaw exists in the /mics/api/v2/sentry/mics-config/handleMessage endpoint, which processes user-supplied XML messages without proper authentication or input validation. A public proof-of-concept was released on June 10, 2026, increasing the likelihood of exploitation. Affected versions include Ivanti Sentry prior to R10.5.2, R10.6.2, and R10.7.1.

What it is and why it matters

Ivanti Sentry serves as a gateway between mobile devices and enterprise resources, commonly providing secure access to Microsoft Exchange and other internal applications. According to Ivanti’s advisory, an unauthenticated attacker can submit a crafted commandexec XML payload to the vulnerable endpoint and trigger arbitrary command execution with root privileges.

This vulnerability is particularly concerning because:

  • No authentication is required.
  • Successful exploitation results in root-level code execution.
  • Sentry is commonly deployed at the network edge.
  • Compromise can provide attackers a pathway into internal enterprise systems.
  • A public proof-of-concept is already available.
  • The vulnerability has been assigned a CVSS score of 10.0.

Organizations using Ivanti Endpoint Manager Mobile (EPMM) alongside Sentry face elevated risk because compromise of the gateway can undermine downstream access controls and expose connected enterprise resources.

Stop Guessing, Start Proving

Attack path showing unauthenticated command execution against a vulnerable Ivanti Sentry appliance
Schedule a demo

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this OS command injection vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

  • Run the Rapid Response test: Launch from the NodeZero platform to determine whether unauthenticated command execution is possible.
  • Patch immediately: Upgrade to Ivanti Sentry R10.5.2, R10.6.2, R10.7.1, or later.
  • Re-run the test: Confirm the vulnerability is no longer exploitable after remediation.

Affected versions & patch

Affected versions

  • Ivanti Sentry versions prior to R10.5.2
  • Ivanti Sentry versions prior to R10.6.2
  • Ivanti Sentry versions prior to R10.7.1

Patched versions

  • R10.5.2
  • R10.6.2
  • R10.7.1 and later

Ivanti’s fixes remove attacker control over the vulnerable endpoint and introduce an additional Apache-level authentication layer in front of the affected functionality.

Timeline (key)

  • June 9, 2026 — Ivanti published security updates addressing CVE-2026-10520.
  • June 10, 2026 — Rapid Response test released
  • June 10, 2026 — NHS England National CSOC assessed exploitation as highly likely.

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By