PT-2026-47806 · Ivanti · Sentry
Published
2026-06-09
·
Updated
2026-06-12
·
CVE-2026-10520
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ivanti Sentry versions prior to R10.5.2
Ivanti Sentry versions prior to R10.6.2
Ivanti Sentry versions prior to R10.7.1
Description
An OS command injection flaw exists in Ivanti Sentry, a security appliance that protects traffic between internal corporate systems and remote mobile devices. The issue stems from the failure to neutralize special elements in user input, allowing a remote unauthenticated user to achieve root-level remote code execution. Real-world exploitation has been observed, with reports indicating that many internet-facing gateways have been compromised and backdoors installed.
Technical details include:
- API Endpoint: '/mics/api/v2/sentry/mics-config/handleMessage'
- Vulnerable Parameter:
message(used in POST requests) - Function Names:
handleMessage(),handleExecute(), andexecuteNativeCommand()
The
message variable is processed by handleMessage() and split into tokens. When the command is set to 'execute', the data is passed through handleExecute() to executeNativeCommand(), which eventually executes the string as an operating system command with root privileges.Recommendations
Update to version R10.5.2.
Update to version R10.6.2.
Update to version R10.7.1.
Restrict or block POST requests to the '/mics/api/v2/sentry/mics-config/handleMessage' endpoint using WAF or IDS rules, specifically targeting the
message parameter for strings such as 'execute', 'system', or ''.Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sentry