Description
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Published: 2026-06-09
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw exists in Ivanti Sentry that permits a remote attacker to execute arbitrary system commands with root privileges. The vulnerability is triggered by unsanitized input processed by the application, allowing the attacker to inject OS-level commands and gain full control over the host. The impact is total compromise of confidentiality, integrity, and availability of the affected system. This vulnerability falls under CWE-78: OS Command Injection.

Affected Systems

Affected are Ivanti Sentry versions preceding R10.5.2, R10.6.2, and R10.7.1. Any deployment running an earlier release is susceptible, regardless of configuration, because the flaw resides in core components common to all those versions.

Risk and Exploitability

The CVSS score is 10, indicating critical severity. EPSS is not available, but the vulnerability is scored as unpatched and exposed to the internet, meaning it is likely to be targeted. The catalog indicates it is not yet in the CISA KEV list, but the attack vector inferred as remote unauthenticated access via network interfaces leads to actionable risk for all exposed installations.

Generated by OpenCVE AI on June 9, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ivanti Sentry update that includes the fix (at least R10.5.2, R10.6.2, or R10.7.1).
  • If immediate patching is not possible, restrict inbound traffic to the Sentry management interface, allowing only trusted IP ranges and disabling public exposure.
  • Enable detailed system and application logging and monitor for anomalous command execution or unauthorized access attempts.

Generated by OpenCVE AI on June 9, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti sentry
Vendors & Products Ivanti
Ivanti sentry

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Ivanti Sentry Allowing Root-Level Remote Code Execution

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ivanti Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-06-10T03:58:54.580Z

Reserved: 2026-06-01T08:47:35.793Z

Link: CVE-2026-10520

cve-icon Vulnrichment

Updated: 2026-06-09T15:42:20.215Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T16:16:35.700

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-10520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:30:09Z

Weaknesses