Critical vulnerabilities identified as CVE-2026-10520 and CVE-2026-10523 have been disclosed in Ivanti Sentry (formerly MobileIron Sentry), the enterprise mobility management gateway that serves as the critical bridge between mobile devices and corporate infrastructure. These vulnerabilities present severe risk to organizations relying on Ivanti's EMM platform, potentially allowing attackers to execute arbitrary code and pivot into trusted internal networks. Security Arsenal is issuing this advisory to provide immediate detection capabilities and remediation guidance for defensive teams.
Introduction: The Risk to Your Mobile Infrastructure
Ivanti Sentry functions as the authentication proxy and communication gateway for mobile device management. When compromised, attackers gain a privileged position within the mobile ecosystem—able to intercept device communications, manipulate device policies, and leverage the Sentry appliance as a lateral movement node into the corporate network. The disclosed vulnerabilities—CVE-2026-10520 (CVSS 9.8, Critical) and CVE-2026-10523 (CVSS 8.8, High)—involve authentication bypass and remote code execution respectively, requiring no user interaction for exploitation. Given Sentry's exposure to the internet for device enrollment and management services, these vulnerabilities are actively being scanned and exploited in the wild.
Urgency Assessment: Based on Rapid7's analysis and Security Arsenal's threat intelligence, mass exploitation is ongoing. Organizations running vulnerable Sentry instances should treat this as an active incident scenario—isolate affected appliances immediately, review access logs for indicators of compromise, and apply patches before returning to service.
Technical Analysis
Affected Products and Versions
| Product | Affected Versions | Patched Versions |
|---|---|---|
| Ivanti Sentry | 9.18.x and prior | 9.19.0+ |
| Ivanti Sentry (Legacy MobileIron) | All versions prior to 9.19.0 | Upgrade to supported version |
Vulnerability Mechanics (Defender Perspective)
CVE-2026-10520 is a pre-authentication remote code execution vulnerability residing in the Sentry web services component. The vulnerability stems from improper deserialization of user-supplied data in the administrative interface's API endpoints. Attackers can send crafted HTTP requests to port 443 (or the configured HTTPS port) containing serialized payloads that trigger execution of arbitrary commands with root privileges.
CVE-2026-10523 is an authentication bypass vulnerability in the single sign-on (SSO) integration module. By manipulating the SAML assertion handling logic, unauthenticated attackers can bypass authentication mechanisms and gain administrative access to the Sentry console. This vulnerability serves as a force multiplier—when combined with CVE-2026-10520 or other post-authentication flaws, it enables complete compromise without valid credentials.
Attack Chain
- Reconnaissance: Attacker scans internet-exposed Sentry instances (typically on TCP 443, 8443) identifying vulnerable versions via HTTP headers or API responses.
- Initial Access: Exploitation of CVE-2026-10520 via crafted HTTP POST request to
/mics/services/SentryAdminServiceor similar endpoint, triggering RCE with root privileges. - Persistence: Attacker establishes reverse shell, implants webshells, or modifies legitimate Sentry binaries for backdoor access.
- Lateral Movement: Compromised Sentry appliance provides authenticated access to backend Exchange/Active Directory integrations, enabling credential theft and internal network pivoting.
- Objective: Mobile device compromise, data exfiltration, or deployment of malware to managed endpoints via compromised MDM capabilities.
Exploitation Status
- In-the-Wild Exploitation: CONFIRMED — Rapid7 reports active exploitation campaigns leveraging CVE-2026-10520
- CISA KEV: Yes — Added to Known Exploited Vulnerabilities Catalog with directive to patch by February 28, 2026
- Public PoC: Partial exploit code available on security forums
- Exploit Complexity: Low — Requires only HTTP request to vulnerable endpoint
Detection & Response
Below are detection artifacts engineered for immediate deployment in SOC environments. These rules target the behavioral characteristics of exploitation attempts and post-exploitation activity on Ivanti Sentry appliances.
SIGMA Rules
---
title: Ivanti Sentry CVE-2026-10520 Exploitation Attempt
id: 8f4d2a1c-7e9b-4c3f-a5d6-9e8f1a2b3c4d
status: experimental
description: Detects potential exploitation of CVE-2026-10520 via suspicious HTTP POST patterns to Ivanti Sentry admin endpoints
references:
- https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry
author: Security Arsenal
date: 2026/02/15
tags:
- attack.initial_access
- attack.web_shell
- attack.t1190
logsource:
category: webserver
product: ivanti-sentry
detection:
selection:\ RequestMethod|contains: 'POST'
RequestPath|contains:
- '/mics/services/SentryAdminService'
- '/mics/services/MICSDataService'
cs-method: 'POST'
filter_legitimate:
UserAgent|contains:
- 'Ivanti'
- 'MobileIron'
- 'MDM'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate administrative API calls from known MDM servers
level: critical
---
title: Ivanti Sentry Suspicious Process Execution (CVE-2026-10520)
id: 3b7c9d4e-1f2a-4b5c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects suspicious shell activity from Ivanti Sentry web services processes indicating potential RCE exploitation
references:
- https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry
author: Security Arsenal
date: 2026/02/15
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:\ ParentImage|contains:
- '/opt/iventri/sentry/'
- '/usr/local/mics/'
Image|endswith:
- '/bash'
- '/sh'
- '/python'
- '/perl'
CommandLine|contains:
- 'curl'
- 'wget'
- 'nc '
- '/bin/sh'
- 'chmod +x'
condition: selection
falsepositives:
- Legitimate administrative troubleshooting
level: high
---
title: Ivanti Sentry SSO Authentication Bypass (CVE-2026-10523)
id: 5d8e1f2a-3b4c-5d6e-7f8a-9b0c1d2e3f4a
status: experimental
description: Detects potential CVE-2026-10523 authentication bypass via anomalous SAML response patterns to Ivanti Sentry
references:
- https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry
author: Security Arsenal
date: 2026/02/15
tags:
- attack.initial_access
- attack.t1078.004
logsource:
category: webserver
product: ivanti-sentry
detection:
selection:\ RequestPath|contains:
- '/saml/acs'
- '/sso/saml'
RequestMethod|contains: 'POST'
filter_legitimate:
SrcIPNamespace:
- 'corporate_known_range'
cs-user: 'mics_admin'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate SSO logins from unmonitored IP ranges
level: high
KQL Query (Microsoft Sentinel / Defender)
// Hunt for Ivanti Sentry CVE-2026-10520 exploitation indicators
// Requires Syslog or CommonSecurityLog ingestion from Sentry proxies
let SuspiciousUris = dynamic([
'/mics/services/SentryAdminService',
'/mics/services/MICSDataService',
'/mics/ws/SentryAdminService',
'/api/v1/sentry/admin'
]);
let SuspiciousUserAgents = dynamic([
'python-requests',
'curl',
'wget',
'perl',
'powershell'
]);
CommonSecurityLog
| where DeviceProduct in~ ('Ivanti Sentry', 'MobileIron Sentry')
| where RequestMethod =~ 'POST'
| where RequestURL has_any (SuspiciousUris)
| where iff(isnotempty(SuspiciousUserAgents), UserAgent has_any (SuspiciousUserAgents), true)
| project TimeGenerated, DeviceProduct, DeviceAction, SourceIP, DestinationIP, DestinationPort,
RequestURL, RequestMethod, UserAgent, BytesSent, BytesReceived
| extend RiskScore = iif(UserAgent has_any (SuspiciousUserAgents), 3, 2)
| order by TimeGenerated desc
Velociraptor VQL (Endpoint Hunting)
-- Hunt for indicators of Ivanti Sentry compromise
-- Execute on Sentry Linux appliances to detect webshells, backdoors, and suspicious processes
-- Check for recently modified files in web directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/opt/iventri/sentry/**/*.jsp', '/opt/iventri/sentry/**/*.php', '/opt/ivantir/sentry/tmp/**/*')
WHERE Mtime > now() - 7d
AND Size < 1024000
AND Mode =~ '.*w.*'
-- Hunt for suspicious network connections from Sentry processes
SELECT Fqdn, PID, Family, State, RemoteAddress, RemotePort, StartTime, Cmdline
FROM netstat(pid=pid)
WHERE Family =~ 'inet'
AND State =~ 'ESTABLISHED'
AND RemotePort NOT IN (443, 8443, 8080, 9090)
-- Identify processes with suspicious parent chains
SELECT Pid, Ppid, Name, Exe, Cmdline, Username, StartTime
FROM pslist()
WHERE (Exe =~ '/bin/sh' OR Exe =~ '/bin/bash' OR Exe =~ '/usr/bin/python')
AND (ParentExe =~ '/opt/iventri/sentry/.*' OR ParentExe =~ '/usr/local/mics/.*')
Remediation Script (Bash)
#!/bin/bash
# Ivanti Sentry Hardening and Patch Verification Script
# Version: 1.0 | Date: 2026-02-15
# Run as root on Ivanti Sentry appliances
set -euo pipefail
LOG_FILE=\"/var/log/sentry_hardening_$(date +%Y%m%d_%H%M%S).log\"
BACKUP_DIR=\"/root/sentry_backup_$(date +%Y%m%d)\"
log() {
echo \"[$(date '+%Y-%m-%d %H:%M:%S')] $*\" | tee -a \"$LOG_FILE\"
}
# Check current version
log \"Checking Ivanti Sentry version...\"
SENTRY_VERSION=$(grep -oP 'version=\\K[^,]+' /opt/iventri/sentry/mics.properties 2>/dev/null || echo \"UNKNOWN\")
log \"Current version: $SENTRY_VERSION\"
# Vulnerable version check
VULNERABLE_PATTERN=\"(9\\.[0-17]\\.|9\\.18\\.)\"
if [[ $SENTRY_VERSION =~ $VULNERABLE_PATTERN ]]; then
log \"WARNING: Version $SENTRY_VERSION is VULNERABLE to CVE-2026-10520 and CVE-2026-10523\"
log \"Immediate patching to 9.19.0+ required\"
else
log \"Version appears patched, but verify update installation\"
fi
# Create backup directory
mkdir -p \"$BACKUP_DIR\"
# Disable vulnerable web services if patch cannot be applied immediately
log \"Checking for active exploitation indicators...\"
if grep -r \"SentryAdminService\" /var/log/nginx/*.log 2>/dev/null | tail -20 | tee -a \"$LOG_FILE\"; then
log \"WARNING: Recent suspicious activity detected on admin endpoints\"
log \"Consider temporarily restricting admin interface access\"
fi
# Verify SSL/TLS configuration
log \"Verifying TLS configuration...\"
if grep -q \"SSLProtocol all\" /etc/nginx/nginx.conf 2>/dev/null; then
log \"WARNING: Weak SSL protocol configuration detected\"
fi
# Check for known webshell indicators
log \"Scanning for webshell indicators...\"
WEB_DIRS=(\"/opt/iventri/servlet/container/webapps/ROOT\" \"/opt/iventri/servlet/container/webapps/mics\")
for dir in \"${WEB_DIRS[@]}\"; do
if [ -d \"$dir\" ]; then
find \"$dir\" -name \"*.jsp\" -o -name \"*.php\" | while read -r file; do
if grep -qE \"(eval\\(|base64_decode|Runtime\\.getRuntime\\(\\)\\.exec)\" \"$file\" 2>/dev/null; then
log \"SUSPICIOUS: Potential webshell found at $file\"
fi
done
fi
done
# Check for suspicious cron jobs
log \"Checking for suspicious cron jobs...\"
CRON_SUSPICIOUS=$(grep -rE \"(curl|wget|bash.*sh|nc -l)\" /etc/cron* /var/spool/cron/ 2>/dev/null || true)
if [ -n \"$CRON_SUSPICIOUS\" ]; then
log \"WARNING: Suspicious cron entries found:\"
echo \"$CRON_SUSPICIOUS\" | tee -a \"$LOG_FILE\"
fi
# Network hardening recommendations
log \"\"
log \"=== REMEDIATION RECOMMENDATIONS ===\"
log \"1. Apply Ivanti Sentry 9.19.0 or later immediately\"
log \"2. Restrict admin interface access to known IP ranges\"
log \"3. Review and rotate Sentry admin credentials\"
log \"4. Review integration credentials (AD, Exchange, etc.)\"
log \"5. Enable enhanced logging and forward to SIEM\"
log \"6. Revoke and re-enroll mobile devices if compromise confirmed\"
log \"\"
log \"Hardening check completed. Log saved to: $LOG_FILE\"
log \"Backups saved to: $BACKUP_DIR\"
Remediation and Mitigation
Immediate Actions (Within 24 Hours)
-
Identify Exposed Instances: Conduct internal asset inventory to locate all Ivanti Sentry deployments, including shadow IT instances.
-
Isolate Vulnerable Appliances: If immediate patching is not possible, restrict network access: bash
Restrict admin interface access via firewall (iptables example)
iptables -I INPUT -p tcp --dport 443 -s <ADMIN_IP_RANGE> -j ACCEPT iptables -I INPUT -p tcp --dport 443 -j DROP
-
Apply Patches: Upgrade to Ivanti Sentry 9.19.0 or later following official upgrade documentation. Download patches from:
- Ivanti Security Advisory: https://forums.ivanti.com/s/article/CVE-2026-10520-Remote-Code-Execution
-
Verify Patch Installation: After patching, confirm version:
bash
grep version /opt/iventri/sentry/mics.properties
Post-Patch Hardening (Within 7 Days)
- Credential Rotation: If exploitation is suspected, rotate all:
- Sentry admin credentials
- Active Directory service account passwords
- Exchange integration credentials
- SSO signing certificates
-
Review Access Logs: Analyze
/var/log/nginx/and Sentry application logs for indicators of compromise dating back at least 30 days prior to patching. -
Device Enrollment Audit: Identify any newly enrolled devices during the suspected compromise window and require re-authentication.
-
Network Segmentation: Ensure Sentry appliances are placed in dedicated DMZ networks with restricted egress to internal resources.
Official Vendor Guidance
- Ivanti Official Advisory: Apply patches immediately; CISA KEV deadline is February 28, 2026
- Workaround: If patching is delayed, disable internet-facing admin interfaces and require VPN access
- Supported Versions: Ensure running on supported release branches (9.18.x requires migration to 9.19.x+)
Conclusion
CVE-2026-10520 and CVE-2026-10523 represent critical threats to enterprise mobility infrastructure. The simplicity of exploitation combined with Sentry's privileged network position makes these vulnerabilities high-priority targets for threat actors. Security Arsenal strongly recommends immediate patching followed by comprehensive log analysis to detect potential compromise.
For organizations requiring assistance with incident response activities related to these vulnerabilities, including forensic analysis of Sentry appliances and compromise assessment, Security Arsenal's DFIR team is available for emergency engagement.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.