CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth OS command injection to root (CVSS 10.0), public PoC published today
From CTI Daily Brief — 2026-06-10 · published 2026-06-10 · view item permalink →
CVE-2026-10520 is an unauthenticated OS command injection in Ivanti Sentry (formerly MobileIron Sentry), the EMM/MDM enforcement gateway that proxies email and applications to managed devices and frequently fronts Exchange. The vulnerable endpoint is /mics/api/v2/sentry/mics-config/handleMessage on the MICS admin API (port 8443): ConfigServiceController.handleMessage() accepts XML payloads containing commandexec blocks whose reqandres field is passed unvalidated through ConfigRequestProcessor.handleExecute() into native command execution, yielding root-level RCE with no authentication (watchTowr, 2026-06-10). watchTowr published the technical analysis and a working PoC on 2026-06-10; CVE-2026-10523 is a companion authentication bypass (CWE-288) covered in the same Ivanti advisory (watchTowr, 2026-06-10). No in-the-wild exploitation is confirmed yet, but a same-day public PoC against a pre-auth root RCE on a government-grade MDM gateway sharply compresses the window. Affected: all Sentry before R10.5.2 / R10.6.2 / R10.7.1; patch immediately and restrict the MICS interface (8443) to management IPs in the interim (T1190, T1059.004).