CVE-2026-10520 | Ivanti Sentry | CVSS 10.0 — OS Command Injection
Vulnerability class: CWE-78 — OS Command Injection
Attack vector: Network | No authentication | No user interaction
The flaw resides in the ConfigServiceController class within the Sentry web application, reachable via a POST request to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage. Sentry has an internal configuration command API that was designed to accept internal configuration commands, but accepts commands from anyone who can reach it over the internet without requiring authentication. The attacker sends a crafted payload to this endpoint, which gets passed unsanitised into a system-level command, resulting in root-level OS command execution.
PoC status: On June 10, 2026, watchTowr published a technical analysis including a proof-of-concept exploit for unauthenticated RCE.
Exploitation status: Active in-the-wild exploitation confirmed post-disclosure. Given the trivial nature of exploitation and the availability of a public PoC, Rapid7 strongly recommends updating affected Sentry appliances on an urgent basis, outside of normal patching cycles.
Impact: Root shell on the Sentry appliance. From there — credential dumps, session token theft, impersonation of legitimate users, and a direct pivot into backend corporate systems (Exchange, internal apps) that Sentry proxies traffic for.
CVE-2026-10523 | Ivanti Sentry | CVSS 9.9 — Authentication Bypass
Vulnerability class: Authentication bypass
Attack vector: Network | No authentication | No user interaction
This flaw allows remote, unauthenticated attackers to create user accounts with the administrator role, gaining full administrative access to vulnerable appliances.
Chaining risk: CVE-2026-10523 creates a secondary persistence path — attackers who create admin accounts before patching retain access even after the RCE vector is closed by the hardcoded-command fix. This is the persistence-after-patch scenario that makes dual-CVE releases particularly dangerous. Even if CVE-2026-10520 is patched promptly, an attacker who first exploited 10523 to plant a rogue admin account survives the patch cycle.
Fixed versions: R10.5.2, R10.6.2, R10.7.1
CVE-2026-6973 | Ivanti EPMM | CVSS 7.2 — RCE via Apache Directive Injection
Vulnerability class: CWE-15 — Configuration control / Improper input validation
Attack vector: Network | Requires admin authentication
An authenticated attacker with sufficient privileges can exploit this weakness to inject arbitrary Apache directives into the server configuration, achieving remote code execution.
Exploitation status: CISA KEV has already identified CVE-2026-6973 as being actively exploited in the wild. Ivanti confirmed awareness of a very limited number of customers exploited, and noted that customers who rotated credentials following January 2026 recommendations around CVE-2026-1281 and CVE-2026-1340 have significantly reduced risk.
Context: This is not EPMM’s first KEV listing. The product has a pattern of prior zero-day exploitation, and admin-authenticated RCE on an MDM platform is a high-value target — it gives an attacker control over the device policy and enrollment plane for the entire mobile fleet.
Affected versions: 12.9.0, 12.8.0.2, 12.7.0.1 and earlier
Fixed versions: 12.9.0.1, 12.8.0.3, 12.7.0.2
CVE-2026-10727 | Ivanti EPMM | CVSS — High — Arbitrary Command Execution
Vulnerability class: Arbitrary command execution
Attack vector: Network | Requires admin authentication
This flaw allows authenticated attackers to execute arbitrary commands via Apache directives. Ivanti stated no known public exploitation of this vulnerability at time of June 9 disclosure. It is assessed as a companion to CVE-2026-6973 in the same advisory — both route through the Apache configuration injection vector, differing in the specific execution path.
Fixed versions: Same as above — 12.9.0.1, 12.8.0.3, 12.7.0.2
The Sentry pair is the immediate emergency — both CVE-2026-10520 and CVE-2026-10523 together give attackers two independent no-credential paths to full Sentry control. The EPMM pair requires admin auth, narrowing the attack surface but not the urgency given active KEV status on CVE-2026-6973.
