CVE-2026-10523EXPLOITEDPATCHED

ivanti · sentry

CVE-2026-10523: An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allow

Description

A vulnerability in Sentry allows attackers to create arbitrary administrator accounts without prior authentication, gaining full admin access.

Affected Products

Vendor	Product	Versions
ivanti	sentry	10.7.0 and below, 10.6.1 and below, 10.5.1 and below

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ivanti	sentry	cert_advisory	90%

References

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US

Related News (7 articles)

Tier D

Heise Security1d ago

Ivanti Sentry: Verwirrung um Status von kritischem Befehlsschmuggel-Leck

→ No new info (linked only)

Tier E

Hacker News1d ago

Ivanti Sentry pre-auth RCE (CVE-2026-10520) – CVSS 10.0, public PoC, CISA KEV

→ No new info (linked only)

Tier D

Help Net Security3d ago

Critical Ivanti Sentry flaw allows root-level remote code execution (CVE-2026-10520)

→ No new info (linked only)

Tier C

Rapid7 Blog3d ago

CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry

→ No new info (linked only)

Tier B

BSI Advisories3d ago

[NEU] [hoch] Ivanti Sentry: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-10523 | Ivanti Sentry up to R10.5.1/R10.6.1/R10.7.0 authentication bypass

→ No new info (linked only)

Tier B

CCCS Canada4d ago

Ivanti security advisory (AV26-567)

→ No new info (linked only)

CVSS 3.19.9 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

R10.5.2R10.6.2R10.7.1

CWECWE-288

PublishedJun 9, 2026

Last enriched1d agov6

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-10520EXP

CVE-2026-10520: An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote

Trending: 100

HIGHCVE-2026-6973EXPKEV

CVE-2026-6973: An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authentic

Trending: 97

HIGHCVE-2026-10727EXP

CVE-2026-10727: An OS command injection vulnerability in Ivanti EPMM before 12.9.0.1, 12.8.0.3 and 12.7.0.2 versions allows a remote aut

Trending: 40

HIGHCVE-2026-9614EXP

CVE-2026-9614: An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticate

Trending: 13

CRITICALCVE-2026-8043

CVE-2026-8043: External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read

Trending: 3

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 9, 2026

Discovered by ZDM

Jun 9, 2026

Updated: affectedVersions

Jun 9, 2026

Actively Exploited

Jun 10, 2026

Exploit Available

Jun 10, 2026

Patch Available

Jun 10, 2026

Updated: description, exploitAvailable, activelyExploited

Jun 10, 2026

Updated: affectedVersions

Jun 10, 2026

Updated: tags

Jun 10, 2026

Updated: description

Jun 12, 2026

Version History

Last enriched 1d ago

v6Tier D1d ago

Updated description with more technical detail and confirmed severity and CVSS score.

description

via Heise Security

v5Tier D3d ago

Updated description with new details about the patch and added relevant tags.