{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2026-008.pdf"
    },
    "title": "Critical vulnerabilities in Ivanti Sentry",
    "serial_number": "2026-008",
    "publish_date": "10-06-2026 11:55:39",
    "description": "On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.<br>\n",
    "url_title": "2026-008",
    "content_markdown": "---    \ntitle: 'Critical vulnerabilities in\u00a0Ivanti\u00a0Sentry'\nnumber: '2026-008'\nversion: '1.0'\noriginal_date: '2026-06-09'\ndate: '2026-06-10'\n---\n\n_History:_\n\n* _10/06/2026 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.\n\n# Technical Details\n\nThe vulnerability **CVE-2026-10520**, with a CVSS score of 10, is an OS Command Injection vulnerability in Ivanti Sentry which allows a remote unauthenticated user to achieve root-level remote code execution[2].\n\nThe vulnerability **CVE-2026-10523**, with a CVSS score of 9.9, is an Authentication Bypass vulnerability in Ivanti Sentry which allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.\n\n# Affected Products\n\nThe following versions of Ivanti Sentry are affected:\n\n- 10.5.1 and prior.\n- 10.6.1 and prior.\n- 10.7.0 and prior.\n\n# Recommendations\n\nCERT-EU recommends following the vendor's guidance to update their appliance to one of the fixed versions[1].\n\n# References\n\n[1] <https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523>\n\n[2] <https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>10/06/2026 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2026-10520</strong>, with a CVSS score of 10, is an OS Command Injection vulnerability in Ivanti Sentry which allows a remote unauthenticated user to achieve root-level remote code execution[2].</p><p>The vulnerability <strong>CVE-2026-10523</strong>, with a CVSS score of 9.9, is an Authentication Bypass vulnerability in Ivanti Sentry which allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following versions of Ivanti Sentry are affected:</p><ul><li>10.5.1 and prior.</li><li>10.6.1 and prior.</li><li>10.7.0 and prior.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends following the vendor's guidance to update their appliance to one of the fixed versions[1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523\">https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/\">https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}