CVE-2026-10520
KEV Critical · CVSS 10.0Ivanti Sentry — OS Command Injection RCE
- CVSS
- 10.0
- nvd
- EPSS
- 47.9%
- 98th pct
- KEV
- Listed
- 2026-06-11
- Class
- other
- CWE-78
Description
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Search profile — drives PoC discovery
Symbols CVE-2026-10520CVE-2026-10523watchTowr-vs-Ivanti-Sentry-RCEwatchtowrlabsroot-level RCEunauthenticated
Keywords CVE-2026-10520CVE-2026-10523Ivanti Sentry RCEIvanti Sentry OS command injectionIvanti Sentry unauthenticated RCEwatchTowr Ivanti SentryIvanti Sentry R10.5.2 R10.6.2 R10.7.1Sentry root RCE PoCwatchtowrlabs Sentry exploit
Versions: before R10.5.2, R10.6.2, R10.7.1
Candidate PoCs (4) — discovered, not yet vetted or ranked
- ★ 12
- 0xBlackash/CVE-2026-10520★ 4nomi_sec
- ogenich/CVE-2026-10520★ 2nomi_sec
- HORKimhab/CVE-2026-10520-10523★ 0nomi_sec
Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.
References
Status: enriched · ingested 2026-06-12T18:00:30.000Z · profiled 2026-06-16T18:19:23.017Z