Description
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
Published: 2026-06-09
Score: 9.9 Critical
EPSS: 47.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass (CWE-288) that permits a remote attacker to create arbitrary administrative accounts on the Ivanti Sentry platform, granting full administrative control over the system.

Affected Systems

Ivanti Sentry installations running any release before R10.5.2, R10.6.2 or R10.7.1 are affected; administrators should verify which version they are operating and consider upgrading.

Risk and Exploitability

The CVSS score of 9.9 marks this flaw as critical, and the EPSS score of 47% indicates a relatively high probability of exploitation. The remote unauthenticated attack vector allows any internet-exposed system to be targeted, and it is inferred from the description that creating administrative accounts directly grants full administrative access, with no further state or privilege escalation steps required.

Generated by OpenCVE AI on June 24, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1, or a later release that contains the fix for the authentication bypass.
  • If an immediate upgrade is not possible, block or restrict the API or web interface endpoints that enable unauthenticated administrative account creation to prevent new admin accounts from being added.
  • After applying the fix or blocking the endpoints, review all active administrative accounts for unauthorized additions and remove any that appear to have been created during the vulnerable period.
  • Regularly audit and monitor administrative account activity to detect and respond to any anomalous changes.

Generated by OpenCVE AI on June 24, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Unauthenticated Admin Account Creation in Ivanti Sentry

Wed, 24 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Unauthenticated Admin Account Creation in Ivanti Sentry

Tue, 23 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allowing Remote Unauthenticated Administrative Account Creation

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allowing Remote Unauthenticated Administrative Account Creation

Tue, 23 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Remote Unauthenticated Creation of Administrative Accounts in Ivanti Sentry

Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Remote Unauthenticated Creation of Administrative Accounts in Ivanti Sentry

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Creation of Administrative Accounts

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Creation of Administrative Accounts

Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Ivanti Sentry Authentication Bypass Allows Remote Administrative Account Creation

Thu, 11 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Ivanti Sentry Authentication Bypass Allows Remote Administrative Account Creation

Thu, 11 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Enabling Remote Administrative Account Creation

Tue, 09 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Enabling Remote Administrative Account Creation
First Time appeared Ivanti
Ivanti sentry
Vendors & Products Ivanti
Ivanti sentry

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ivanti Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-06-10T03:58:55.720Z

Reserved: 2026-06-01T08:57:47.470Z

Link: CVE-2026-10523

cve-icon Vulnrichment

Updated: 2026-06-09T15:39:21.922Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T16:16:35.837

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-10523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel