CVE-2026-10520 (GCVE-0-2026-10520)
Vulnerability from cvelistv5 – Published: 2026-06-09 14:10 – Updated: 2026-06-12 03:55- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
| URL | Tags |
|---|---|
| https://hub.ivanti.com/s/article/Security-Advisor… | |
| https://github.com/watchtowrlabs/watchTowr-vs-Iva… | exploit |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-78 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Sentry |
| Due Date | 2026-06-14 |
| Date Added | 2026-06-11 |
| Vendorproject | Ivanti |
| Vulnerabilityname | Ivanti Sentry OS Command Injection Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
CIRCL
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Characteristics
Timestamps
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Characteristics
Timestamps
Scope
Evidence
Type: Honeypot
Signal: In The Wild Attempts
Confidence: 70%
Source: shadowserver
Details
| 1D | 2 |
|---|---|
| Iot | no |
| Feed | Shadowserver Foundation honeypot/exploited-vulnerabilities |
| Type | http-scan |
| Class | other-software |
| 7D Avg | 1 |
| Vendor | Ivanti |
| 30D Avg | 1 |
| 90D Avg | 0 |
| Product | Sentry |
| Cisa Kev | yes |
| Connections | 30 |
| Observation Date | 2026-06-29 |
| Vulnerability Class | CVSS |
| Vulnerability Score | 10 |
| Vulnerability Severity | Critical |
References
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
Exploited: Yes
Timestamps
Scope
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to... |
| Vendor | ivanti |
| Product | Sentry |
| Added Date | 2026-06-10T09:50:00.000Z |
| Cvss Score | 10.0 |
| Epss Score | 0.59524 |
| Cvss Severity | CRITICAL |
| Epss Percentile | 0.99003 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev |
|
| Not Yet In Cisa Kev | False |
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10520",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T03:55:15.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-10520"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Sentry",
"vendor": "ivanti",
"versions": [
{
"status": "unaffected",
"version": "R10.5.2"
},
{
"status": "unaffected",
"version": "R10.6.2"
},
{
"status": "unaffected",
"version": "R10.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS Command Injection vulnerability\u0026nbsp;in Ivanti\u0026nbsp;Sentry before\u0026nbsp;the\u0026nbsp;R10.5.2, R10.6.2 and R10.7.1\u0026nbsp;versions\u0026nbsp;allows\u0026nbsp;a remote unauthenticated user to achieve root-level remote code execution\u0026nbsp;"
}
],
"value": "An OS Command Injection vulnerability\u00a0in Ivanti\u00a0Sentry before\u00a0the\u00a0R10.5.2, R10.6.2 and R10.7.1\u00a0versions\u00a0allows\u00a0a remote unauthenticated user to achieve root-level remote code execution"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:10:21.581Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2026-10520",
"datePublished": "2026-06-09T14:10:21.581Z",
"dateReserved": "2026-06-01T08:47:35.793Z",
"dateUpdated": "2026-06-12T03:55:15.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2026-10520",
"cwes": "[\"CWE-78\"]",
"dateAdded": "2026-06-11",
"dueDate": "2026-06-14",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-10520",
"product": "Sentry",
"requiredAction": "Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA\u2019s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA\u2019s \u201cForensics Triage Requirements\u201d (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset\u0027s internet exposure and ensuring adherence to BOD 26-04 patching guidelines.",
"shortDescription": "Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.",
"vendorProject": "Ivanti",
"vulnerabilityName": "Ivanti Sentry OS Command Injection Vulnerability"
},
"epss": {
"cve": "CVE-2026-10520",
"date": "2026-06-30",
"epss": "0.98937",
"percentile": "0.99922"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-10520\",\"sourceIdentifier\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"published\":\"2026-06-09T16:16:35.700\",\"lastModified\":\"2026-06-17T10:12:16.930\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An OS Command Injection vulnerability\u00a0in Ivanti\u00a0Sentry before\u00a0the\u00a0R10.5.2, R10.6.2 and R10.7.1\u00a0versions\u00a0allows\u00a0a remote unauthenticated user to achieve root-level remote code execution\"}],\"affected\":[{\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"affectedData\":[{\"vendor\":\"ivanti\",\"product\":\"Sentry\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"R10.5.2\",\"status\":\"unaffected\"},{\"version\":\"R10.6.2\",\"status\":\"unaffected\"},{\"version\":\"R10.7.1\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-09T00:00:00+00:00\",\"id\":\"CVE-2026-10520\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2026-06-11\",\"cisaActionDue\":\"2026-06-14\",\"cisaRequiredAction\":\"Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA\u2019s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA\u2019s \u201cForensics Triage Requirements\u201d (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset\u0027s internet exposure and ensuring adherence to BOD 26-04 patching guidelines.\",\"cisaVulnerabilityName\":\"Ivanti Sentry OS Command Injection Vulnerability\",\"weaknesses\":[{\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:standalone_sentry:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.5.2\",\"matchCriteriaId\":\"C33107C3-2CB4-495C-ACB2-F1440ADAA2B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:standalone_sentry:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.6.0\",\"versionEndExcluding\":\"10.6.2\",\"matchCriteriaId\":\"F5579D89-84ED-45BA-922F-B84DC5E3EE93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ivanti:standalone_sentry:10.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F16798C-197D-4CED-BCD1-9C93A28D29D2\"}]}]}],\"references\":[{\"url\":\"https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US\",\"source\":\"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-10520\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-10520\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-11T19:17:49.101203Z\"}}}], \"references\": [{\"url\": \"https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-10520\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-09T15:42:20.215Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-248\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-248 Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ivanti\", \"product\": \"Sentry\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"R10.5.2\"}, {\"status\": \"unaffected\", \"version\": \"R10.6.2\"}, {\"status\": \"unaffected\", \"version\": \"R10.7.1\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An OS Command Injection vulnerability\\u00a0in Ivanti\\u00a0Sentry before\\u00a0the\\u00a0R10.5.2, R10.6.2 and R10.7.1\\u00a0versions\\u00a0allows\\u00a0a remote unauthenticated user to achieve root-level remote code execution\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An OS Command Injection vulnerability\u0026nbsp;in Ivanti\u0026nbsp;Sentry before\u0026nbsp;the\u0026nbsp;R10.5.2, R10.6.2 and R10.7.1\u0026nbsp;versions\u0026nbsp;allows\u0026nbsp;a remote unauthenticated user to achieve root-level remote code execution\u0026nbsp;\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\", \"shortName\": \"ivanti\", \"dateUpdated\": \"2026-06-09T14:10:21.581Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-10520\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-12T03:55:15.947Z\", \"dateReserved\": \"2026-06-01T08:47:35.793Z\", \"assignerOrgId\": \"3c1d8aa1-5a33-4ea4-8992-aadd6440af75\", \"datePublished\": \"2026-06-09T14:10:21.581Z\", \"assignerShortName\": \"ivanti\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.