Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-10520 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-10520 | CVSS 10.0 (Critical) | Exploit: PoC available

What Is It

CVE-2026-10520 is a critical OS command injection vulnerability in Ivanti Sentry, a mobile security gateway product, that allows remote unauthenticated attackers to execute arbitrary commands at the root level.

Technical Detail

The flaw exists in Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1, where user-supplied input is passed unsanitized to an OS-level command execution context without requiring authentication. An attacker can send a crafted request to the exposed interface to inject and execute arbitrary shell commands, resulting in full root-level remote code execution on the underlying system. The combination of no authentication requirement and root-level impact places this at the maximum CVSS score of 10.0, representing complete compromise of confidentiality, integrity, and availability.

Exploitation Status

A proof-of-concept exploit is publicly available as of this writing. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been formally confirmed by CISA. However, the availability of a PoC for a pre-authentication RCE vulnerability with a CVSS 10.0 score significantly lowers the barrier for exploitation and should be treated as a high-urgency patching priority regardless of KEV status.

Who Is Targeting This

No specific threat actor attribution at this time. No confirmed or reported threat actor activity has been linked to this vulnerability in available intelligence sources. Given that Ivanti products have historically attracted attention from nation-state and financially motivated actors, this vulnerability warrants close monitoring for emerging attribution as exploitation activity develops.

What To Do

Patch immediately to Ivanti Sentry R10.5.2, R10.6.2, or R10.7.1 depending on the release branch in use. Given the pre-authentication nature of this vulnerability, no user interaction or credential compromise is required for exploitation, making network-level exposure the primary risk factor. Organizations should prioritize restricting access to the Sentry administrative and API interfaces to trusted IP ranges or internal networks as an interim control if patching cannot be completed immediately. Review logs for anomalous command execution patterns or unexpected outbound connections from Sentry hosts. Monitor Ivanti's security advisories and CISA KEV for updates on confirmed exploitation activity.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →