Introduction
A remote unauthenticated attacker can create arbitrary administrative accounts on Ivanti Sentry systems running versions prior to R10.5.2, R10.6.2, and R10.7.1, effectively granting complete control over the gateway and all mobile enterprise traffic it manages. With a CVSS score of 9.9 and a structural twin (CVE-2023-38035) that was actively exploited in the wild and landed on the CISA Known Exploited Vulnerabilities catalog, CVE-2026-10523 demands immediate attention from any organization running Ivanti Sentry.
Ivanti Sentry (formerly MobileIron Sentry) is an in-line gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise systems such as email, calendar, and contacts servers. It is a core component of the Ivanti Unified Endpoint Management (UEM) platform, widely deployed across enterprises and government agencies to enforce mobile security policies. Its position as a traffic intermediary between endpoints and corporate resources makes it a particularly consequential target when compromised.
Technical Information
Root Cause: CWE-288 Authentication Bypass Using an Alternate Path or Channel
CVE-2026-10523 is classified under CWE-288, which describes a weakness where a product correctly requires authentication for a given resource on its primary interface but exposes an alternate path or channel that does not enforce that authentication. According to the MITRE CWE definition, the alternate route may be a different URL, API endpoint, hardware register, or communication channel that allows an attacker to bypass intended access controls entirely.
In the CWE hierarchy, CWE-288 is a child of CWE-306 (Missing Authentication for Critical Function) and a parent of CWE-425 (Direct Request / Forced Browsing) and CWE-1299 (Missing Protection Mechanism for Alternate Hardware Interface). It overlaps with CWE-420 (Unprotected Alternate Channel), though the two are distinct in their focus on path versus channel. Authentication bypass of this type often results from architectural or design flaws, such as assuming a front-end screen is the only entry point when back-end programs or debugging interfaces remain directly accessible.
The NVD description for CVE-2026-10523 states: an Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. The NVD has not yet provided its own CVSS assessment; the 9.9 score originates from the CNA (Ivanti itself).
Attack Flow
Based on the CVE description and the CWE-288 classification, the exploitation path follows a well understood pattern:
-
Discovery: The attacker identifies a network accessible Ivanti Sentry instance. Given Sentry's role as a gateway, these systems often have network interfaces reachable from external or semi-trusted network segments.
-
Alternate path identification: The attacker discovers an administrative path, likely an API endpoint or internal script, that does not enforce the same authentication controls as the primary administrator login interface. Common CWE-288 exploitation patterns include direct requests to internal scripts or APIs, bypassing a web application's login page by directly requesting an administrative URL that was not meant to be publicly reachable.
-
Unauthenticated administrative account creation: Through this unprotected path, the attacker creates one or more arbitrary administrative accounts without providing any credentials.
-
Full administrative access: With valid administrative credentials now in hand, the attacker logs into the Sentry management interface through normal channels, gaining complete control over the gateway.
-
Post exploitation: An attacker with administrative access to Ivanti Sentry can monitor, intercept, and manipulate all mobile traffic passing through the gateway. This potentially exposes corporate email, calendar, contacts, and other sensitive data. The compromised Sentry system also serves as a pivot point for lateral movement into the broader corporate network.
The CVE-2023-38035 Precedent
The most directly analogous vulnerability is CVE-2023-38035, an API Authentication Bypass on the Ivanti Sentry Administrator Interface disclosed in August 2023. This vulnerability impacted Ivanti Sentry versions 9.18 and above and was also classified as an authentication bypass affecting the System Manager Portal.
Horizon3 AI published a deep dive analysis of CVE-2023-38035, revealing that the vulnerability allowed an unauthenticated attacker to bypass authentication on the Sentry administrator API interface. The exploit involved directly accessing API endpoints that should have required authentication but did not enforce it, enabling the attacker to perform administrative actions without credentials.
Darktrace observed real-world exploitation of CVE-2023-38035 in customer environments. After exploitation, attackers performed reconnaissance and moved laterally within the network. The attack was detected through anomalous behavior patterns on the compromised Sentry appliance, including unusual external connections and internal scanning activity.
The structural similarity between CVE-2023-38035 and CVE-2026-10523 is notable: both are CWE-288 authentication bypasses in Ivanti Sentry, both require no authentication, and both target the administrative interface. This recurrence of the same vulnerability class in the same product, separated by roughly three years, points to persistent architectural issues in how Sentry implements authentication boundaries.
Companion Vulnerability: CVE-2026-10520
The official Ivanti advisory URL references both CVE-2026-10523 and CVE-2026-10520, indicating that two Sentry vulnerabilities were addressed in the same security update. Specific details about CVE-2026-10520 were not available from the advisory page at the time of this analysis. Organizations should treat both CVEs as critical and apply the patched versions that address both simultaneously.
Impact Assessment
The impact of CVE-2026-10523 is maximal due to the convergence of three factors: no authentication is required for exploitation, the attack is remotely executable over the network, and successful exploitation grants full administrative control including the ability to create persistent backdoor accounts. The absence of any user interaction requirement means exploitation can be fully automated.
| Dimension | CVE-2026-10523 (Current) | CVE-2023-38035 (Precedent) | CVE-2026-6973 (EPMM) |
|---|---|---|---|
| Vulnerability Type | CWE-288 Auth Bypass | CWE-288 Auth Bypass | Improper Input Validation |
| Product | Ivanti Sentry | Ivanti Sentry | Ivanti EPMM |
| Authentication Required | None | None | Authenticated admin |
| CVSS Score | 9.9 | Critical | High |
| Active Exploitation | Not yet confirmed | Yes (CISA KEV) | Yes (CISA mandate) |
| Impact | Arbitrary admin account creation | Admin interface access | Remote code execution |
The critical divergence between CVE-2026-10523 and CVE-2026-6973 lies in the authentication requirement: CVE-2026-10523 requires no credentials at all, while CVE-2026-6973 requires an authenticated admin user. This makes CVE-2026-10523 significantly more dangerous as an initial access vector.
Affected Systems and Versions
The following Ivanti Sentry versions are vulnerable:
| Release Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| R10.5.x | All versions before R10.5.2 | R10.5.2 |
| R10.6.x | All versions before R10.6.2 | R10.6.2 |
| R10.7.x | All versions before R10.7.1 | R10.7.1 |
Organizations running any Ivanti Sentry release prior to these fixed versions on any of the three branches are affected. The vulnerability is exploitable remotely without authentication, so any Sentry instance with network reachable administrative interfaces is at risk.
Recommended Mitigations
Organizations should upgrade to the appropriate fixed version immediately. Until patching is complete, the following compensating controls should be applied:
Network segmentation: Restrict network access to Ivanti Sentry administrative interfaces. Place Sentry management ports behind firewalls and allow access only from authorized administrative VLANs or IP ranges.
Eliminate internet facing exposure: If Ivanti Sentry administrative interfaces are exposed to the internet, immediately restrict access to trusted internal networks only. The similar CVE-2023-38035 was exploited through internet facing Sentry instances.
Audit administrative accounts: Review all current administrative accounts on Sentry systems for legitimacy and remove any unauthorized accounts that may have been created through exploitation. Monitor for anomalous account creation going forward.
Post patch verification: After applying the update, verify the Sentry version matches one of the fixed releases, conduct a full audit of administrative accounts created before the patch was applied, and review Sentry logs for any evidence of unauthorized administrative activity.
The MITRE CWE-288 guidance provides two architectural mitigations relevant to this class of vulnerability: funnel all access through a single choke point so that every request to a protected resource must pass through one centralized authentication and authorization gateway, and for every access regardless of entry point, perform a consistent permission check that validates the user's identity and rights before granting access.
Vendor Security History
Ivanti has experienced a significant and recurring pattern of critical security vulnerabilities across its product line. The recurrence of CWE-288 authentication bypass vulnerabilities is particularly notable.
| Vulnerability | Product | Severity | Exploitation Status | Year |
|---|---|---|---|---|
| CVE-2023-38035 | Ivanti Sentry | Critical | Actively exploited, added to CISA KEV | 2023 |
| CVE-2023-41724 | Ivanti Standalone Sentry | N/A | Patch available | 2023 |
| CVE-2025-22457 | Ivanti Connect Secure/Policy Secure/Neurons for ZTA | Critical | Actively exploited | 2025 |
| CVE-2025-22462 | Ivanti Neurons for ITSM | Critical (CWE-288) | Auth bypass | 2025 |
| CVE-2026-1281 | Ivanti EPMM | Critical | Zero day, actively exploited | 2026 |
| CVE-2026-1340 | Ivanti EPMM | Critical | Zero day, actively exploited | 2026 |
| CVE-2026-6973 | Ivanti EPMM | High | Actively exploited, CISA mandate | 2026 |
| CVE-2026-10520 | Ivanti Sentry | N/A | Patch available | 2026 |
| CVE-2026-10523 | Ivanti Sentry | 9.9 Critical | Not yet confirmed | 2026 |
CISA published Advisory AA25-022A documenting how threat actors chained vulnerabilities in Ivanti Cloud Service products, noting that "these vulnerabilities were exploited as zero days" based on evidence of active exploitation. Ivanti products have appeared repeatedly in the CISA Known Exploited Vulnerabilities catalog, subjecting federal agencies to mandatory patching deadlines.
The recurrence of CWE-288 across Ivanti's product line (Sentry in 2023, Neurons for ITSM in 2025, and Sentry again in 2026) reveals a systemic architectural failure in how Ivanti implements authentication boundaries. The MITRE CWE-288 mitigations of funneling all access through a single choke point and performing a check for every access appear to not have been consistently applied across Ivanti's codebase despite prior vulnerabilities of this exact type. This pattern suggests that organizations should not rely solely on Ivanti's patching cadence but should implement defense in depth controls including network segmentation, continuous monitoring, and reduced internet facing exposure of Ivanti management interfaces.
References
- NVD: CVE-2026-10523
- Ivanti Security Advisory: Ivanti Sentry CVE-2026-10520 and CVE-2026-10523
- MITRE CWE-288: Authentication Bypass Using an Alternate Path or Channel
- Ivanti Sentry Product Page
- Ivanti Advisory: CVE-2023-38035 API Authentication Bypass on Sentry Administrator Interface
- Horizon3 AI: Ivanti Sentry Authentication Bypass CVE-2023-38035 Deep Dive
- Darktrace: Entry via Sentry, Analyzing the Exploitation of a Critical Vulnerability in Ivanti Sentry
- CISA Known Exploited Vulnerabilities Catalog
- CISA Advisory AA25-022A: Threat Actors Chained Vulnerabilities in Ivanti Cloud Service
- BleepingComputer: Ivanti Warns of Two EPMM Flaws Exploited in Zero Day Attacks
- The Hacker News: Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation
- ZeroPath: Ivanti Neurons for ITSM CVE-2025-22462 Auth Bypass
- Huntress: Ivanti Mass Zero Day Exploits Data Breach
- runZero: Ivanti Gateway Vuln CVE-2025-22457, How to Find Affected Systems
- SentinelOne: What Is Authentication Bypass? Techniques and Examples



