CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-10523

CVSS 9.9v3.1pub. 2026-06-09upd. 2026-06-22

An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

🤖 AI Analysis
How it works

The vulnerability consists of bypassing the authentication mechanism (CWE-288), which means that an attacker can gain access to protected resources without going through the required identity verification procedures. An attacker can remotely, without possessing any credentials, invoke administrative functions of the Ivanti Sentry system. As a result, it is possible to create new accounts with administrator privileges, resulting in full takeover of the device.

Impact

Attackers gain full administrative access to the Ivanti Sentry system, which includes high confidentiality, integrity, and availability of resources. This can lead to complete compromise of the infrastructure managed by Ivanti Sentry, including data transmitted through the device.

Mitigation & patch

Ivanti Sentry must be immediately updated to version R10.5.2, R10.6.2, or R10.7.1 (depending on the product branch in use). Details are available in the official Ivanti security bulletin at the address indicated in the references.

Who is affected

Ivanti Sentry in versions earlier than R10.5.2, R10.6.2, and R10.7.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Ivanti Standalone Sentry

    APP
    Ivanti
    10.7.0< 10.5.210.6.0 – 10.6.2 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-10520CRITICAL10.0⚠ KEVPL ✓ten sam produkt

RCE poprzez OS Command Injection w Ivanti Sentry (nieuwierzytelniony dostęp root)

CVE-2024-8540HIGH8.8ten sam produkt

Insecure permissions in Ivanti Sentry before versions 9.20.2 and 10.0.2 or 10.1.0 allow a local authenticated ...

CVE-2023-41724HIGH8.8ten sam produkt

A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to exec...

CVE-2026-1281CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Krytyczny code injection w Ivanti Endpoint Manager Mobile (RCE bez uwierzytelnienia)

CVE-2026-1340CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Code injection w Ivanti EPMM umożliwiający nieuwierzytelniony RCE