CVE-2026-10520

What Is Ivanti Sentry?

Ivanti Sentry (formerly MobileIron Sentry) is the inline mobile security gateway deployed between Ivanti Endpoint Manager Mobile (EPMM)-managed devices and corporate backend systems — Exchange, SharePoint, internal application servers, and certificate authorities. Every email message and application data request from an enrolled mobile device flows through Sentry before reaching its destination. Because managed devices must be able to check in from any network, Sentry is internet-facing by design.

That architectural position makes it a high-value target. Compromising Sentry yields interception of mobile device email credentials and application tokens in transit, deep network adjacency to Exchange and Active Directory, and a trusted foothold inside the network perimeter — all from a single internet-reachable appliance.

Overview

CVE-2026-10520 is a pre-authentication OS command injection (CWE-78) in the MICS (Management, Integration, and Configuration Service) web application embedded in Ivanti Sentry. With a CVSS score of 10.0 — the maximum — it requires no credentials, no user interaction, and no special conditions. A single crafted HTTP POST to an unauthenticated Spring Boot endpoint achieves root-level remote code execution. The Changed scope rating reflects that exploitation provides access to all backend systems reachable from Sentry's network position, far beyond the appliance itself.

Ivanti patched the vulnerability on June 9, 2026. WatchTowr Labs published a working PoC the following day via binary diff analysis of the patch. Shadowserver observed active exploitation within 24 hours, identifying approximately 19 internet-exposed instances with the endpoint reachable — at least 2 already backdoored by the time of their June 11 report. CISA added it to the KEV catalog the same day with a three-day federal remediation deadline.

The same advisory addresses a companion flaw: CVE-2026-10523 (CWE-288), an authentication bypass that allows creation of arbitrary administrative accounts on the Sentry appliance, discovered by Bryan Lam. CVE-2026-10523 amplifies post-exploitation persistence but is not required to achieve root RCE — CVE-2026-10520 is fully self-contained.

Affected Versions

Technical Details

The vulnerable endpoint is POST /mics/api/v2/sentry/mics-config/handleMessage in Sentry's Spring Boot MICS service. The handler processes a user-supplied message parameter through a chain with no authentication gate at any stage:

• ConfigServiceController.handleMessage() receives the unauthenticated request
• ConfigServiceHandler.handleMessage() parses the payload into command tokens: command, module, xpath, value
• ConfigRequestProcessor.handleExecute() dispatches via reflection based on the command token
• CommonUtilities.executeNativeCommand() executes the attacker-controlled value string as a native OS command, running as root

An attacker crafts a commandexec XML element whose value field carries an arbitrary shell command. No sanitization is applied at any stage. The process runs as root.

WatchTowr Labs isolated the vulnerability by binary-diffing the mics-core JAR between versions 10.5.1 (vulnerable) and 10.5.2 (patched). The fix hardcodes the input value rather than accepting caller-supplied content, and adds an Apache-level authentication gate blocking unauthenticated access to the /mics/api/v2/sentry/mics-config/ path.

The CVSS Scope is rated Changed because the Sentry appliance sits inline between all managed mobile devices and corporate backend systems. A compromised Sentry instance provides access to Exchange, Active Directory, and any internal service reachable from Sentry's network segment — security impact extends well beyond the appliance itself.

Discovery

WatchTowr Labs discovered the vulnerability by binary-diffing the patch release on June 10, 2026 — one day after Ivanti published the fix — and immediately published a full technical write-up and working proof-of-concept. Bryan Lam independently discovered CVE-2026-10523, the companion authentication bypass covered in the same advisory.

Exploitation Context

Active exploitation was confirmed within approximately 24 hours of the WatchTowr PoC publication. Shadowserver scanned internet-facing Sentry instances and identified roughly 19 instances with the MICS endpoint publicly accessible; at least 2 had already been backdoored by the time of their June 11 report. Shadowserver's assessment: "all remaining [instances] likely compromised too" given the exposure window.

No named threat actor has been attributed in confirmed exploitation. A public mass-scanner PoC (ogenich/CVE-2026-10520) appeared on GitHub alongside the WatchTowr write-up, making weaponisation immediately accessible to any attacker. The combination of CVSS 10.0, pre-auth access, a published PoC, a small but fully-exposed target population, and a three-day CISA deadline marks this as an acute exploitation window with little margin for delayed patching.

This is the second Sentry MICS pre-auth RCE in the KEV catalog. CVE-2023-38035 exploited a different unauthenticated path on the same MICS service in 2023 — an Apache HTTPD misconfiguration leaving the Hessian RPC MICSLogService reachable on port 8443. CVE-2026-10520 targets a separate Spring Boot REST endpoint on the same service. The pattern of finding new unauthenticated paths in the MICS service across successive Sentry versions reflects a recurring authentication boundary problem in a complex multi-component management service.

Remediation

1. Patch immediately. Upgrade to Sentry 10.5.2, 10.6.2, or 10.7.1 depending on your deployed branch.
2. Restrict MICS access at the network perimeter. The MICS interface should not be reachable from the internet regardless of patching status. Enforce firewall or ACL rules to block external access to MICS ports as defense in depth against future MICS vulnerabilities.
3. Enable mTLS between EPMM and Sentry. Mutual TLS with EPMM makes Sentry interfaces inaccessible to external actors even if network restrictions are incomplete.
4. Restrict Sentry access via Neurons for MDM. If using Ivanti Neurons for MDM (cloud-managed), restrict HTTPS access to limit the reachable endpoint surface.
5. Audit for post-exploitation indicators. Check for unexpected processes, new cron jobs, modified Apache configuration, dropped webshells, reverse shell connections, or unauthorized administrative accounts (CVE-2026-10523 vector). Treat any internet-exposed instance that was unpatched during the June 9–11 window as potentially compromised.
6. Audit administrative accounts for CVE-2026-10523. If Sentry was externally reachable during the exposure window, enumerate all administrative accounts for unauthorized additions.