HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10520Published Modified CNA ivanti

CVE-2026-10520: An OS Command Injection vulnerability in Ivanti Sentry before the R10

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
R10.5.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability in Ivanti Sentry (versions before R10.5.2, R10.6.2, and R10.7.1) allows a remote, unauthenticated attacker to inject arbitrary operating system commands through a network-exposed interface. No credentials or user interaction are required to reach the vulnerable code path. Successful exploitation gives the attacker root-level remote code execution on the host, enabling full system compromise including data disclosure, modification, and service disruption. Patched-image rebuilds at versions R10.5.2, R10.6.2, and R10.7.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10520 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds. Coverage extends to custom-built images that bundle Ivanti Sentry, not only images pulled from public registries.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 10.0 Critical and weighting that score against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the fixed versions (R10.5.2, R10.6.2, or R10.7.1, depending on the release branch in use) becomes available in HarborGuard as soon as the upstream image is resolvable. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Ivanti Sentry service over the network; the vulnerable interface is exposed remotely with no requirement for LAN or physical proximity.

  • AuthenticationNot required

    No credentials of any privilege level are needed; the injection is reachable by any unauthenticated remote user.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker triggers the vulnerability entirely without victim participation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other variable environmental conditions to succeed.

Blast Radius

  • The attacker gains root-level remote code execution on the Sentry host, with full control over all processes and files.
  • All data passing through or stored on the Sentry appliance (including mobile device management traffic, credentials, and session tokens) is readable by the attacker.
  • The attacker can modify or delete any file on the host, tamper with Sentry configuration, or pivot to systems that trust the Sentry appliance.
  • The attacker can crash or permanently disable the Sentry service, cutting off mobile device access to enterprise resources.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity CVE is matched against customer images within minutes of advisory ingestion, covering both registry-pulled and internally built Sentry images. Where compliance policy permits and auto-remediation is enabled, HarborGuard can rebuild the affected image at the appropriate fixed version (R10.5.2, R10.6.2, or R10.7.1), execute a regression run, and open a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced as a Critical-priority item in the triage queue for manual review. Given the unauthenticated remote root impact, customers are strongly advised to prioritize patching or, as a compensating control until patching is possible, to restrict network access to Sentry management interfaces via network policy or egress filtering.

See how HarborGuard automates this

Fix available

R10.5.2R10.6.2R10.7.1
Affected packages
  • ivanti / Sentry
    Fixed in R10.5.2, R10.6.2, R10.7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References