Authentication Bypass Vulnerability in Ivanti Sentry
CVE-2026-10523

9.9CRITICAL

Key Information:

Vendor

Ivanti
Status
Sentry
Vendor
CVE Published:
9 June 2026

Badges

๐Ÿ“ˆ Score: 428๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 47%๐Ÿ“ฐ News Worthy

What is CVE-2026-10523?

CVE-2026-10523 is a significant authentication bypass vulnerability found in Ivanti Sentry, a software solution used for secure mobile application management and remote access to enterprise applications. This vulnerability affects versions prior to R10.5.2, R10.6.2, and R10.7.1, allowing a remote, unauthenticated attacker to bypass authentication mechanisms. By exploiting this weakness, an attacker can create arbitrary administrative accounts, granting them full administrative access to the affected system. The implications of such access are severe, as it may allow attackers to manipulate or exfiltrate sensitive organizational data, disrupt services, and deploy malicious software within the network.

Potential Impact of CVE-2026-10523

  1. Unauthorized Administrative Control: Attackers can create administrative accounts without proper authentication, enabling them to execute commands and manage the system as legitimate administrators. This level of access can compromise the entire security infrastructure of the organization.

  2. Data Breach Risks: With administrative access, threat actors can gain insights into sensitive data and intellectual property, leading to potential data breaches. The unauthorized manipulation or extraction of confidential information can result in financial loss and reputational damage.

  3. Service Disruption: The ability to manage and change system settings can result in disruptions to critical services within the organization. This may include server downtime, application outages, and the potential for widespread malware deployment, ultimately affecting business operations.

Affected Version(s)

Sentry R10.5.2

Sentry R10.5.2

Sentry R10.6.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-10523-Ivanti-sentry
Created by gagaltotal

News Articles

favicon imageTechtimes

Ivanti Sentry Flaw Triggers CISA's First 3-Day Federal Patch Mandate, Already Exploited

Ivanti Sentry vulnerability patch is mandatory for federal agencies by June 14 under CISAโ€™s BOD 26-04, which replaces flat CVSS deadlines with a four-variable risk model. Attackers backdoored Sentry

3 weeks ago

favicon imageDark Reading

Max-Severity Ivanti Sentry Flaw Exploited Within 24 Hours

Initial methods suggest attackers had likely mapped out Ivanti's asset landscape upfront and acted quickly once the exploit became public.

3 weeks ago

References

https://hub.ivanti.com/s/article/Security-Advisory-Ivanti...

EPSS Score

47% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by Dark Reading

  • Vulnerability published

  • Vulnerability Reserved

.