CVE-2026-10523
Published: 09 June 2026
Summary
CVE-2026-10523 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Ivanti Standalone Sentry. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
An Authentication Bypass vulnerability tracked as CVE-2026-10523 affects Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. The flaw, categorized under CWE-288, permits remote attackers to circumvent authentication controls in the product.
A remote unauthenticated attacker can exploit the issue over the network to create arbitrary administrative accounts, resulting in full administrative access to the affected Ivanti Sentry instance. The vulnerability carries a CVSS 3.1 base score of 9.9, reflecting its high impact on confidentiality, integrity, and availability in a scoped environment.
The referenced Ivanti security advisory addresses both CVE-2026-10523 and a related issue, directing administrators to upgrade to the fixed releases R10.5.2, R10.6.2, or R10.7.1 to remediate the authentication bypass.
EPSS for the CVE remains flat at 0.0906 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35441
Vulnerability details
An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Ivanti Sentry directly enables remote exploitation (T1190) and creation of local admin accounts (T1136.001).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies to block unauthenticated creation of administrative accounts.
Requires identification and authentication of users before permitting any account management actions.
Restricts account creation privileges and monitors privileged account provisioning to limit abuse from bypassed authentication.