Ivanti Sentry Pre-Auth OS Command Injection (CVE-2026-10520) Allows Root-Level Remote Code Execution
By
Sonny
Summary
Ivanti published an advisory detailing two vulnerabilities in its Sentry product. CVE-2026-10520 is a pre-authenticated OS Command Injection vulnerability with a CVSS score of 10/10, allowing remote unauthenticated attackers to achieve root-level remote code execution on Ivanti Sentry versions before R10.5.2, R10.6.2, and R10.7.1. CVE-2026-10523 is an Authentication Bypass vulnerability. The article discusses the severity and implications of these vulnerabilities in a somewhat informal, sarcastic tone.
Source
bskyIvanti Sentry Pre-Auth OS Command Injection (CVE-2026-10520) Allows Root-Level Remote Code Executionlabs.watchtowr.comKey quotes
· 3 pulledToday, Ivanti published an advisory. 'No way?' we hear you say. 'Yes way!'
CVE-2026-10520 gets full Secure-by-Design points with a CVSS score of 10/10 - just as you'd expect for a Pre-Authenticated Command Injection.
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
You might also wanna read
CVE-2026-10520: Critical Ivanti Sentry OS Command Injection Vulnerability Actively Exploited
Ivanti Sentry (formerly MobileIron Sentry) has a critical pre-authentication OS command injection vulnerability (CVE-2026-10520, CVSS 10.0)
WAF - WAF Release - 2026-06-23
WAF - WAF Release - 2026-03-12 - Emergency
Critical Security Vulnerability CVE-2025-66478 in React Server Components Protocol
A critical security vulnerability (CVE-2025-66478) has been discovered in the React Server Components (RSC) protocol with a CVSS score of 10
Critical Security Vulnerability in React Server Components (CVE-2025-55182) Allows Remote Code Execution
The React team disclosed a critical security vulnerability (CVE-2025-55182) rated CVSS 10.0 that allows unauthenticated remote code executio
Critical Redis Security Vulnerability CVE-2025-49844 Allows Remote Code Execution
Redis has identified and fixed a critical security vulnerability (CVE-2025-49844) that allows authenticated users to execute remote code thr

Comments
Sign in to join the conversation.
No comments yet. Be the first.