More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520)
Ivanti Sentry is affected by a critical pre-authenticated OS command injection vulnerability (CVE-2026-10520) and an authentication bypass vulnerability (CVE-2026-10523). The command injection flaw allows unauthenticated attackers to achieve root-level remote code execution by sending specially crafted XML payloads to the /mics/api/v2/sentry/mics-config/handleMessage endpoint.
Detection / HunterGoogle
What Happened
A critical security flaw was discovered in Ivanti Sentry, a system used to secure corporate mobile device traffic. This vulnerability allows an unauthenticated attacker to remotely execute commands and potentially take full control of the system. Because this device sits at the edge of a network, compromising it could give attackers a direct path into internal corporate systems. Organizations using Ivanti Sentry should immediately update to the latest patched versions (R10.5.2, R10.6.2, or R10.7.1) to protect their networks.
Key Takeaways
- Ivanti Sentry contains a critical pre-authenticated OS command injection vulnerability (CVE-2026-10520) with a CVSS score of 10.0.
- A separate authentication bypass vulnerability (CVE-2026-10523) allows unauthenticated attackers to create administrative accounts.
- The command injection flaw resides in the /mics/api/v2/sentry/mics-config/handleMessage endpoint, where user-supplied XML is parsed and executed via reflection.
- The patch hardcodes the command input to a benign /bin/cat command and implements Apache regex rules to block unauthenticated access to the endpoint.
Affected Systems
- Ivanti Sentry (formerly MobileIron Sentry) versions prior to R10.5.2, R10.6.2, and R10.7.1
Vulnerabilities (CVEs)
- CVE-2026-10520
- CVE-2026-10523
Attack Chain
An unauthenticated attacker sends a POST request to the /mics/api/v2/sentry/mics-config/handleMessage endpoint containing a specially crafted 'message' parameter. The application parses this message as a MICS configuration command, extracting the command, module, XPath, and XML body. When the 'execute' command is supplied, the application routes the payload to executeNativeCommand(), which uses reflection to invoke internal system-level configuration actions. This allows the attacker to execute arbitrary OS commands in the context of the Tomcat user.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but it does mention a Python-based Detection Artefact Generator tool provided by watchTowr to test if an environment is vulnerable.
Detection Engineering Assessment
EDR Visibility: Medium — EDR on the Ivanti Sentry appliance itself might be limited or unsupported, but if present, it could detect anomalous child processes spawning from the Tomcat web server. Network Visibility: High — Network sensors and WAFs can inspect HTTP POST requests to the vulnerable endpoint for suspicious XML payloads containing <commandexec>. Detection Difficulty: Moderate — Detecting the exploit requires visibility into HTTP POST bodies or process execution on the appliance. Since it is a proprietary appliance, installing standard agents might be restricted.
Required Log Sources
- Web Server Access Logs
- Process Creation Logs
- WAF Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for HTTP POST requests to /mics/api/v2/sentry/mics-config/handleMessage that return a 200 OK status, especially from unauthenticated or unexpected source IPs. | Web Server Access Logs | Initial Access | Low |
| If you have process visibility on the Sentry appliance, consider hunting for unexpected child processes (e.g., sh, bash, id, uname) spawning from the Tomcat Java process. | Process Creation Logs | Execution | Low |
Control Gaps
- Lack of WAF inspection on internal/edge appliance traffic
- Inability to deploy EDR agents on proprietary appliances
Key Behavioral Indicators
- POST requests to /mics/api/v2/sentry/mics-config/handleMessage
- Presence of 'execute system /configuration/system/commandexec' in HTTP request bodies
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider immediately upgrading Ivanti Sentry to patched versions R10.5.2, R10.6.2, or R10.7.1.
- Evaluate whether access to the Sentry management interfaces can be restricted to trusted internal IP addresses only.
Infrastructure Hardening
- Consider deploying a Web Application Firewall (WAF) in front of the Ivanti Sentry appliance to inspect and block malicious XML payloads.
- Evaluate network segmentation to ensure the Sentry appliance has restricted access to internal sensitive systems.
User Protection
- N/A
Security Awareness
- N/A
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059.004 - Command and Scripting Interpreter: Unix Shell
Additional IOCs
- Urls:
/mics/login.jsp- Login page for the MICS application in Ivanti Sentry, potentially used for reconnaissance.
- File Paths:
mics-core/com/mi/middleware/rest/controller/ConfigServiceController.java- Java class containing the vulnerable handleMessage method.
- Command Lines:
- Purpose: PoC command injection payload structure | Tools:
uname,id| Stage: Execution
- Purpose: PoC command injection payload structure | Tools: