Impact
An OS Command Injection flaw allows a remote unauthenticated user to execute arbitrary system commands with root privileges on Ivanti Sentry. The defect stems from unsanitized input being incorporated into operating‑system commands, enabling a complete compromise of confidentiality, integrity, and availability. The weakness is classified as CWE‑78.
Affected Systems
Ivanti Sentry installations running any release older than R10.5.2, R10.6.2, or R10.7.1 are affected. The vulnerability exists in code common to those versions, so any configuration that exposes a supported interface can be exploited.
Risk and Exploitability
The CVSS score of 10 signals a critical severity, while an EPSS score of 99% indicates an exceptionally high likelihood of exploitation in the wild. The vulnerability is listed in CISA’s KEV catalog, underscoring its potential for widespread exploitation. Based on the description, it is inferred that the affected systems are reachable from the internet and that an unauthenticated attacker can send malicious input to a vulnerable interface to trigger OS command execution.
OpenCVE Enrichment