CVE-2026-10520

CVE Database · CVE-2026-10520

CVE-2026-10520

· CRITICALAnalyzed

CVSS v3.1

10.0

EPSS

59.52%

Published

Jun 9, 2026

Modified

Jun 12, 2026

CISA Known Exploited Vulnerability

Added: 2026-06-11 · Due: 2026-06-14

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Public PoC / Exploit (5)

All weaponized →

NucleiNuclei detection template GitHub PoCwatchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523★12 GitHub PoC0xBlackash/CVE-2026-10520★3 GitHub PoCogenich/CVE-2026-10520★1 GitHub PoCHORKimhab/CVE-2026-10520-10523

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

Affected Products (3)

ivanti · standalone_sentry (up to 10.5.2)vulnerable

ivanti · standalone_sentry (up to 10.6.2)vulnerable

ivanti · standalone_sentryvulnerable

References (3)

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US

PatchVendor Advisory

https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-10520

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs