Who thought Ivanti could pass the summer without a new vulnerability? Their last major one was published in February, and they are making a major comeback with this Pre-Authenticated Command Injection. The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2026-10520, a critical OS command injection vulnerability in Ivanti Sentry that allows unauthenticated root-level Remote Code Execution (RCE).
Key findings
- Immediate in-the-wild exploitation: CVE-2026-10520 was published on June 9, 2026, and by June 10, the CrowdSec Network observed the first exploitation attempts in the wild, promptly releasing detection rules.
- Critical severity: The vulnerability has a CVSS score of 10.0, meaning an attacker requires no authentication to execute arbitrary commands as the root user.
- NEW Indicators of Compromise Available: The CrowdSec API tracker now features Indicators of Compromise (IoC) for CVE-2026-10520, enabling defenders to identify malicious http_path patterns actively targeting this flaw.
What is Ivanti Sentry?
Ivanti Sentry, formerly MobileIron Sentry, is an in-line gateway that manages, encrypts, and secures traffic between mobile devices, enterprise backend systems, and cloud services. It is typically utilized by IT and security teams in large organizations to enforce access control.
Why it matters: Sentry is designed to stand at the edge of the network, defending access to core business data from remote connections. Giving an attacker root access to an edge appliance is like hiring a security guard who leaves the front-door key under the doormat. It provides a direct foothold for deeper network penetration, leading to potential data theft, ransomware deployment, or a widespread infrastructure takeover.
How does CVE-2026-10520 work?
CVE-2026-10520 is caused by improper neutralization of special elements in OS commands. The vulnerability resides specifically in the /mics/api/v2/sentry/mics-config/handleMessage API endpoint.
Attackers can exploit this flaw by sending specially crafted HTTP POST requests that include a message parameter containing malicious OS command payloads. Because this input is not properly sanitized before being passed to an underlying OS process, the commands are executed with system-level privileges.
A special credit goes to watchTowr for their comprehensive (and characteristically humorous) disclosure of this vulnerability. Their write-up perfectly captures the ongoing pain of edge appliance security.
- Research credit: WatchTowr Labs: More Evidence That Words Don’t Mean What We Thought They Meant
- Reference: ProjectDiscovery Nuclei Template
- Official advisory: Ivanti Security Advisory
Threat Landscape Analysis
CrowdSec has been tracking this vulnerability since June 10, 2026. Initially, we observed a rapid spike in attempts as actors scanned for vulnerable, internet-exposed instances. According to the CrowdSec community data, the exploitation phase has now shifted to “Wearing Out.” While still present in the wild, the overall volume has dropped noticeably week over week.
Interestingly, while opportunistic exploitation accounts for the majority of activity, some threat actors are moving away from noisy mass-scanning towards basic targeting methods, such as stealthy port or service detection, before launching the exploit payload. This indicates an emerging pattern of selective targeting aimed at unpatched, high-value infrastructure.
How to protect your systems
Patch: Apply the immediate patches provided by Ivanti. Upgrade Ivanti Sentry to versions R10.5.2, R10.6.2, or R10.7.1 or newer, where the vulnerability has been remediated.
Preemptive blocking: Restrict external access to Sentry administration endpoints if they do not need to be publicly exposed. Put the CrowdSec WAF in front of exposed gateways. Stay Proactive: For instant monitoring of how this CVE evolves, follow the CrowdSec Live Exploit Tracker for CVE-2026-10520.
Unsure about where to start? Check out our special 3-minute introduction track at: https://start.crowdsec.net
Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity.