VDB
CVE-2026-10523
CVE-2026-10523
PUBLISHED
CVSS 9.899999618530273 CRITICAL
CVE-2026-10520 is an OS command injection vulnerability with a maximum CVSS score of 10.0 that can be exploited remotely without authentication to execute arbitrary code with root privileges. CVE-2026-10523 is an authentication bypass vulnerability (CVSS:3.1 9.9) that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. The flaw enables attackers to circumvent normal authentication mechanisms, fundamentally undermining the security model of the system.
Risk Scores
CVSS 3.1
9.899999618530273
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ivanti | Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions |
Timeline
- Jun 9, 2026 CVE Published
- Jun 11, 2026 Coalition ESS Score
- Jun 11, 2026 Security Advisory
References
- https://ccb.belgium.be/advisories/warning-critical-root-level-remote-code-execution-and-authentication-bypass advisory
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US vendor
- https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/ technical
- https://nvd.nist.gov/vuln/detail/CVE-2026-10520 technical
- https://nvd.nist.gov/vuln/detail/CVE-2026-10523 technical
- https://vuldb.com/cve/CVE-2026-10523 technical
- https://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/ technical