Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-10523 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-10523 | CVSS 9.9 (Critical) | Exploit: PoC available

What Is It

CVE-2026-10523 is a critical authentication bypass vulnerability (CWE-288) in Ivanti Sentry, a mobile security gateway product, affecting versions prior to R10.5.2, R10.6.2, and R10.7.1.

Technical Detail

The flaw allows a remote, unauthenticated attacker to bypass authentication controls and create arbitrary administrative accounts on the Sentry management interface, resulting in full administrative access to the appliance. The vulnerability stems from an improper authentication implementation (CWE-288), meaning the application fails to adequately enforce authentication for one or more critical functions, permitting account creation without valid credentials. Successful exploitation grants an attacker complete control over the Sentry appliance, including the ability to modify configurations, intercept mobile device traffic, and potentially pivot to connected enterprise infrastructure.

Exploitation Status

A proof-of-concept exploit is publicly available. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, and active in-the-wild exploitation has not been confirmed as of June 10, 2026. However, the combination of a critical CVSS score of 9.9, unauthenticated remote exploitability, and public PoC availability significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability. Given Ivanti's history as a high-value target for state-sponsored and financially motivated actors, this should be treated as a priority even in the absence of confirmed attribution.

What To Do

Apply the vendor-supplied patches immediately. Ivanti has released fixed versions R10.5.2, R10.6.2, and R10.7.1 addressing this vulnerability. Organizations should prioritize patching any internet-exposed Sentry instances first, followed by internally accessible deployments. Until patching is complete, restrict administrative interface access to trusted management networks or VPN-only segments and review administrative account logs for any unauthorized account creation activity. Monitor for anomalous authentication events and unexpected administrative account additions as detection signals. No official workaround has been published as a substitute for patching.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →