Description
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
Published: 2026-06-09
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass (CWE‑288) that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain complete administrative privileges. This flaw enables the attacker to perform any action available to a legitimate administrator, effectively compromising the entire system’s confidentiality, integrity, and availability.

Affected Systems

Ivanti Sentry systems running versions prior to R10.5.2, R10.6.2, or R10.7.1 are affected. Users of these releases should verify their current version and upgrade if necessary.

Risk and Exploitability

The CVSS score of 9.9 classifies this as a critical vulnerability. The EPSS score is not available, but the lack of listing in the CISA KEV catalog does not diminish the potential threat. The flaw can be exploited remotely by anyone without authentication, making the attack vector straightforward for attackers with internet access to the target system.

Generated by OpenCVE AI on June 9, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 or later, as these releases contain the fix for the authentication bypass.
  • If an immediate upgrade cannot be performed, block the API or configuration paths that allow unauthenticated account creation to prevent new admin accounts from being added.
  • After applying the fix, audit all administrative accounts, review permissions, and remove any accounts that were created by an attacker during the vulnerable period.

Generated by OpenCVE AI on June 9, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Enabling Remote Administrative Account Creation
First Time appeared Ivanti
Ivanti sentry
Vendors & Products Ivanti
Ivanti sentry

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ivanti Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-06-10T03:58:55.720Z

Reserved: 2026-06-01T08:57:47.470Z

Link: CVE-2026-10523

cve-icon Vulnrichment

Updated: 2026-06-09T15:39:21.922Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T16:16:35.837

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-10523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:30:08Z

Weaknesses