How is CVE-2026-10523 exploited?

Network reachability (required): The attacker must reach the Ivanti Sentry service over the network; the vulnerability is exposed to any host with network access to the target. Authentication (not-required): No credentials or prior account are needed; the bypass allows a completely unauthenticated remote attacker to interact with the administrative interface. Victim interaction (not-required): Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special conditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-10523?

An attacker creates arbitrary administrative accounts on the Sentry instance, establishing persistent privileged access. Full administrative control is obtained, allowing the attacker to read all configuration data, credentials, and proxied mobile device traffic flowing through Sentry. The attacker can modify Sentry policies, gateway rules, and user access controls, corrupting the security posture for all managed devices. Administrative access enables the attacker to disable or crash the Sentry service, disrupting mobile device management connectivity for all enrolled endpoints.

Back to search

CRITICALCVE-2026-10523Published 2026-06-09Modified 2026-06-10CNA ivanti

CVE-2026-10523: An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10

An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: R10.5.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability (CWE-288) affects Ivanti Sentry before versions R10.5.2, R10.6.2, and R10.7.1. The flaw is reachable over the network and requires no authentication, meaning any remote attacker with access to the service can exploit it without credentials. Successful exploitation lets an attacker create arbitrary administrative accounts and gain full administrative control over the affected Sentry instance. Patched-image rebuilds at versions R10.5.2, R10.6.2, and R10.7.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-10523 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of ingestion from upstream feeds, including custom-built images derived from Ivanti Sentry base layers.

Available

Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and is capable of applying per-environment compliance policy weighting to prioritize alert routing to the appropriate team or inbox within each customer organization.

Available

Patch

A patched-image rebuild at R10.5.2, R10.6.2, or R10.7.1 becomes available on HarborGuard for any environment where an affected Sentry version is detected. For customers who opt into auto-remediation, HarborGuard is capable of executing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Ivanti Sentry service over the network; the vulnerability is exposed to any host with network access to the target.
AuthenticationNot required
No credentials or prior account are needed; the bypass allows a completely unauthenticated remote attacker to interact with the administrative interface.
Victim interactionNot required
Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special conditions such as race conditions or specific memory layout requirements.

Blast Radius

An attacker creates arbitrary administrative accounts on the Sentry instance, establishing persistent privileged access.
Full administrative control is obtained, allowing the attacker to read all configuration data, credentials, and proxied mobile device traffic flowing through Sentry.
The attacker can modify Sentry policies, gateway rules, and user access controls, corrupting the security posture for all managed devices.
Administrative access enables the attacker to disable or crash the Sentry service, disrupting mobile device management connectivity for all enrolled endpoints.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10523 is active across customer image scanning pipelines the moment the advisory is ingested. Because this is a Critical-severity issue (CVSS 9.9), environments with auto-remediation enabled are capable of completing a rebuild at a fixed version (R10.5.2, R10.6.2, or R10.7.1 depending on the branch in use), a regression test run, and an automated pull request opened against affected workloads, with median time from CVE publication to merged patch PR around 90 minutes for environments with auto-remediation enabled. Where compliance policy permits, the rebuild-and-PR flow runs without manual intervention. Customers who have not opted into auto-remediation will see the finding surfaced in their dashboard with CVSS severity, affected image list, and fix-version detail to support manual prioritization.

See how HarborGuard automates this

Fix available

R10.5.2R10.6.2R10.7.1

Affected packages

ivanti / Sentry
Fixed in R10.5.2, R10.6.2, R10.7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

hub.ivanti.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available