CVE-2026-10520 and CVE-2026-10523 Multiple Critical Vulnerab...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry
• Blog Title: CVE-2026-10520 and CVE-2026-10523: Multiple Critical Vulnerabilities Affecting Ivanti Sentry
• Suggested Section: Network Services Pentesting > 80,443 - Pentesting Web Methodology > Ivanti Sentry, or Pentesting Web > Command Injection

🎯 Content Summary

Rapid7 Emergent Threat Response: Ivanti Sentry critical vulnerabilities CVE-2026-10520 and CVE-2026-10523

Rapid7 summarizes two critical vulnerabilities disclosed by Ivanti on June 9, 2026 affecting Ivanti Sentry, formerly MobileIron Sentry. Ivanti Sentry is described by the vendor as an in-line gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise systems. B...

🔧 Technical Details

Pre-auth internal configuration command injection to root RCE: A dangerous appliance pattern occurs when an unauthenticated HTTP endpoint accepts a user-controlled parameter and passes it into an internal configuration command parser. In this case, the endpoint /mics/api/v2/sentry/mics-config/handleMessage accepts message and interprets it as a trusted configuration command. By crafting message as execute system /configuration/system/commandexec ..., an attacker can reach the internal command execution feature and place an arbitrary OS command inside an XML-like field such as <reqandres>id</reqandres>. The reusable exploitation idea is to identify unauthenticated management/configuration endpoints that bridge external HTTP input into privileged backend command interpreters, then determine which internal verbs, paths, or XML/structured fields trigger command execution.

Command ...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/command-injection.md

What I added:

• A concise new section on structured configuration-command injection using Ivanti Sentry as the case study
• The unauthenticated endpoint and payload shape:
  • /mics/api/v2/sentry/mics-config/handleMessage
  • message=execute system /configuration/system/commandexec ...
• Why this is interesting as a reusable technique:
  • internal verb/module/XPath parsing
  • XML-like structured payloads
  • privileged backend bridge
  • no classic shell metacharacters required
• Hunting clues for logs/telemetry
• References to:
  • Rapid7 blog
  • watchTowr technical analysis
  • Ivanti advisory

Validation:

• Re-read the modified section
• Checked final diff and file structure
• mdbook build could not be run here because mdbook is not installed in the environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web Methodology > Ivanti Sentry, or Pentesting Web > Command Injection".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0