Critical Command Injection Vulnerability in Ivanti Sentry Allows Unauthenticated Root-Level RCE
Ivanti Sentry, a gateway for mobile device management, is affected by CVE-2026-10520, a critical OS command injection flaw enabling unauthenticated root-level remote code execution.
Ivanti has disclosed a critical OS command injection vulnerability, tracked as CVE-2026-10520, affecting its Sentry product. This flaw, rated with a CVSS score of 10/10, allows unauthenticated remote attackers to achieve root-level remote code execution on vulnerable versions.
Ivanti Sentry, formerly known as MobileIron Sentry, acts as an in-line gateway that manages, encrypts, and secures traffic between mobile devices and enterprise backend systems. It typically sits between corporate mobile fleets and resources like Microsoft Exchange, controlling ActiveSync email traffic and application data. By enforcing device-level access decisions, Sentry ensures that only compliant, registered devices can access internal services. Given its position at the network edge and its role in brokering access to sensitive infrastructure, a compromise of Sentry can provide attackers with a direct pathway into internal systems.
The vulnerability specifically impacts versions prior to R10.5.2, R10.6.2, and R10.7.1. Researchers at watchTowr Labs identified that the vulnerability resides within the ConfigServiceController.java file, specifically in a method annotated with @PostMapping({"/handleMessage"}). This endpoint, accessible at /mics/api/v2/sentry/mics-config/handleMessage, accepts a user-supplied message string that is then passed directly into the handleMessage() method for processing.
Analysis of the handleMessage() method in ConfigServiceHandler.java reveals that the application parses the input message to extract command, module, and xpath parameters. The vulnerability arises from insufficient sanitization or validation of these parameters before they are used in subsequent operations, potentially leading to the injection of arbitrary OS commands. The exact mechanism involves how the StringTokenizer processes the input message and how these tokens are subsequently utilized within the application's logic, allowing an attacker to control parts of the command executed on the server.
In addition to CVE-2026-10520, Ivanti also disclosed CVE-2026-10523, an authentication bypass vulnerability in the same product. This separate flaw allows unauthenticated attackers to create arbitrary administrative accounts, granting them full administrative access to the Sentry appliance. While the command injection vulnerability offers direct code execution, the authentication bypass could be used to gain initial access or escalate privileges within the management interface.
Ivanti has released patches for these vulnerabilities. Customers are strongly advised to update their Ivanti Sentry instances to the patched versions: R10.5.2, R10.6.2, or R10.7.1, or later. Failure to patch these critical vulnerabilities could expose organizations to significant risk, including complete system compromise and potential lateral movement within their networks.
The discovery of these vulnerabilities underscores the ongoing challenges in securing edge devices and gateways that manage access to critical enterprise resources. The high severity and unauthenticated nature of CVE-2026-10520 make it a prime target for threat actors seeking to gain a foothold in corporate environments.
Ivanti has released patches for two vulnerabilities in its Sentry secure mobile gateway, including the maximum-severity flaw previously disclosed. The vendor has now provided updates to address these critical issues, urging customers to apply them promptly to mitigate the risk of remote code execution as root.
The new advisory from Ivanti also details a second critical vulnerability, CVE-2026-10523, which carries a CVSS score of 9.9 and allows unauthenticated attackers to create administrative accounts on affected systems. Customers are urged to upgrade to versions 10.5.2, 10.6.2, or 10.7.1 to mitigate both issues.
This new report details a second critical vulnerability, CVE-2026-10523, which allows unauthenticated attackers to create administrative accounts and gain full administrative access. Additionally, a public proof-of-concept exploit for CVE-2026-10520 has been released, significantly increasing the risk of in-the-wild exploitation.
The new article details a second critical vulnerability, CVE-2026-10523, which allows for authentication bypass and the creation of administrative accounts on affected Ivanti Sentry devices. While CVE-2026-10520 is the primary focus of the existing story, this additional flaw exacerbates the risk for organizations running vulnerable versions of the security gateway.