Ivanti Sentry devices harbor a pre‑authentication OS command injection flagged as CVE-2026-10520. The flaw scores a perfect 10.0 on CVSS and lets unauthenticated attackers execute arbitrary commands as root via the /mics/api/v2/sentry/mics-config/handleMessage endpoint. CISA added the bug to its Known Exploited Vulnerabilities catalog on June 11, imposing a 3‑day remediation deadline for affected entities.

The vulnerable API accepts POST data that is passed straight to Java reflection, returning command output in the HTTP response. Sentry appliances typically listen on TCP 8443 in DMZ zones, making them internet‑reachable. Security teams can locate exposed instances by scanning for port 8443, inspecting TLS certificates for Ivanti branding, probing the /mics login page, and querying DNS patterns such as sentry‑*.

Ivanti released patches in releases R10.5.2, R10.6.2 and R10.7.1 that harden the endpoint and force a 302 redirect for unauthenticated calls. Administrators should apply the update immediately, restrict inbound traffic to port 8443, and enable mTLS where possible. Parallel remediation of CVE-2026-10523, an authentication bypass, is required to prevent rogue admin accounts.

The RECON mobile app bundles the entire investigation workflow: port scanning, TLS fingerprinting, HTTP header analysis, DNS enumeration, and CVE lookup. Analysts can run these checks from a phone, cross‑reference Shodan for internet‑exposed instances, and verify logs for POST requests to the vulnerable endpoint. Using RECON streamlines detection and response in real time across multiple network segments.