CVE-2026-10520NVD

Vulnerability Summary

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

Severity Level

CRITICAL(10.0)

Published Date

Jun 9, 2026

Last Modified

Jun 11, 2026

Exploitation Status

????

EPSS Score (30-Day)

3.28%Probability

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US
https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-10520

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-10520NVD

Vulnerability Summary

External References