VULNERABILITY OVERVIEW
A pre-authentication OS command injection vulnerability (CWE-78) in Ivanti Sentry's MICS configuration API endpoint (/mics/api/v2/sentry/mics-config/handleMessage) that passes user-supplied input directly into OS command execution, enabling unauthenticated remote root-level RCE with no user interaction required. WatchTowr Labs published a full technical analysis and public PoC on June 10, 2026. Shadowserver confirmed active exploitation within 48 hours of PoC release, reporting mass exploitation attempts and at least 2 backdoored instances out of 19 vulnerable internet-exposed appliances scanned; CISA added to KEV on June 11 with a 3-day federal remediation deadline.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0 and earlier (all R10.5.x, R10.6.x, R10.7.x trains)CITATIONS
- → https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523
- → https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/
- → https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry/
- → https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → https://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/