diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
index 41a11880d6a..307c7dfbc4a 100644
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@@ -94,6 +94,50 @@ Notes:
 - Look for the same helper under other prefixes (e.g., `/mifs/c/aftstore/fob/`).
 - Arithmetic contexts treat unknown tokens as variable/array identifiers, so this bypasses simple metacharacter filters.
 
+### Exposed configuration command parsers in appliance APIs
+
+Some appliances expose an **internal configuration bus** over HTTP. If a controller accepts one raw string and forwards it into a privileged parser that tokenizes data into fields like `command`, `module`, `xpath`, and `value`, treat it as a **command DSL** rather than as a normal form parameter. A dangerous shape is:
+
+- unauthenticated route → `handleMessage(message)`
+- tokenization with `StringTokenizer` / `split()` into control fields
+- support for privileged verbs such as `execute`, `test`, `import`, `export`
+- attacker-controlled `xpath`/XML objects reaching a native or reflection-backed bridge
+
+### Hunting workflow
+
+1. **Patch-diff WAR/JAR files** and prioritize changed controllers and service handlers.
+2. **Rebuild the full route** from the container context plus framework mappings (for example `/mics` + controller path + method path).
+3. **List accepted verbs** and follow the one that maps to execution (`EXECUTE`, `RUN`, `TEST`, etc.).
+4. If the patch replaces user input with a **hardcoded internal command**, reuse that constant as the payload template against the vulnerable build.
+
+### Real-world payload shape
+
+In Ivanti Sentry / MobileIron Sentry, the vulnerable `message` parameter was parsed into `command module xpath value` and the `execute` verb routed into an XML-backed native execution path. A minimal probe looked like:
+
+```http
+POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+message=execute system /configuration/system/commandexec <commandexec><index>1</index><reqandres>uname -a</reqandres></commandexec>
+```
+
+Why this shape matters:
+
+- `execute` selects the execution branch
+- `system` selects the module handler
+- `/configuration/system/commandexec` resolves the XML object
+- `<reqandres>` carries the OS command
+- successful exploitation returns command output inside the JSON/XML response wrapper
+
+### Patch-introduced constants can document the exploit grammar
+
+A useful reversing trick is to inspect the **patched** controller and look for newly hardcoded constants. If the fix stops trusting `message` and instead sends a fixed internal command such as `/bin/cat /sys/devices/virtual/dmi/id/product_name`, the constant often reveals the exact grammar expected by the vulnerable parser. In practice, replacing only the final command is often enough to build a working probe.
+
+### Quick triage ideas
+
+- Compare vulnerable vs patched behavior on the same route: old builds may return command output in JSON, while fixed builds often return a redirect (`302`) or a generic auth failure because the vendor added an Apache/front-end auth gate.
+- When reviewing code, treat reflection helpers such as `executeNativeCommand()` or `excuteModuleMethod()` as **privilege bridges**: HTTP input may not call `/bin/sh` directly, but it can still reach native module methods that do.
+
 ### Parameters
 
 Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
@@ -287,5 +331,8 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
 - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
 - [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
+- [watchTowr Labs – Ivanti Sentry pre-auth OS command injection (CVE-2026-10520)](https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/)
+- [Ivanti Security Advisory – Ivanti Sentry CVE-2026-10520 / CVE-2026-10523](https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US)
+- [watchTowr Detection Artefact Generator – Ivanti Sentry RCE / Auth Bypass](https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523)
 
 {{#include ../banners/hacktricks-training.md}}