Description
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Published: 2026-06-09
Score: 10 Critical
EPSS: 98.9% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw allows a remote unauthenticated user to execute arbitrary system commands with root privileges on Ivanti Sentry. The defect stems from unsanitized input being incorporated into operating‑system commands, enabling a complete compromise of confidentiality, integrity, and availability. The weakness is classified as CWE‑78.

Affected Systems

Ivanti Sentry installations running any release older than R10.5.2, R10.6.2, or R10.7.1 are affected. The vulnerability exists in code common to those versions, so any configuration that exposes a supported interface can be exploited.

Risk and Exploitability

The CVSS score of 10 signals a critical severity, while an EPSS score of 99% indicates an exceptionally high likelihood of exploitation in the wild. The vulnerability is listed in CISA’s KEV catalog, underscoring its potential for widespread exploitation. Based on the description, it is inferred that the affected systems are reachable from the internet and that an unauthenticated attacker can send malicious input to a vulnerable interface to trigger OS command execution.

Generated by OpenCVE AI on June 24, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti Sentry to at least R10.5.2, R10.6.2, or R10.7.1 to eliminate the command injection flaw.
  • If upgrading is not immediately possible, block external access to the Sentry management interface by restricting it to a trusted IP range or placing it behind a firewall or VPN.
  • Add input validation and sanitization to all data that is incorporated into operating‑system commands, enforce proper error handling, and enable detailed logging to detect suspicious command execution attempts.

Generated by OpenCVE AI on June 24, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Title Root-Level Remote Code Execution via OS Command Injection in Ivanti Sentry

Wed, 24 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Title Root‑Level Remote Code Execution via OS Command Injection in Ivanti Sentry

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Root‑Level Remote Code Execution via OS Command Injection in Ivanti Sentry

Tue, 23 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Root-level Remote Code Execution via OS Command Injection in Ivanti Sentry

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Root-level Remote Code Execution via OS Command Injection in Ivanti Sentry

Tue, 23 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Root-level Remote Code Execution via OS Command Injection in Ivanti Sentry

Tue, 23 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Root-level Remote Code Execution via OS Command Injection in Ivanti Sentry

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Root-Level Remote Code Execution via OS Command Injection in Ivanti Sentry

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Root-Level Remote Code Execution via OS Command Injection in Ivanti Sentry

Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Ivanti Sentry Enables Root‑Level Remote Code Execution

Sat, 13 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Ivanti Sentry Enables Root‑Level Remote Code Execution

Fri, 12 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Remote Root-Level OS Command Injection in Ivanti Sentry

Fri, 12 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti standalone Sentry
CPEs cpe:2.3:a:ivanti:standalone_sentry:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:standalone_sentry:10.7.0:*:*:*:*:*:*:*
Vendors & Products Ivanti standalone Sentry

Thu, 11 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Remote Root-Level OS Command Injection in Ivanti Sentry

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Ivanti Sentry Allowing Root-Level Remote Code Execution

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-11T00:00:00+00:00', 'dueDate': '2026-06-14T00:00:00+00:00'}


Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti sentry
Vendors & Products Ivanti
Ivanti sentry

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Ivanti Sentry Allowing Root-Level Remote Code Execution

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Ivanti Sentry Standalone Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-06-12T03:55:15.947Z

Reserved: 2026-06-01T08:47:35.793Z

Link: CVE-2026-10520

cve-icon Vulnrichment

Updated: 2026-06-09T15:42:20.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T16:16:35.700

Modified: 2026-06-12T12:42:45.810

Link: CVE-2026-10520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:45:02Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')