Cyber Resilience

CVE-2026-10523

CriticalUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
22 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4719 98.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-10523 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Ivanti Standalone Sentry. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

An Authentication Bypass vulnerability tracked as CVE-2026-10523 affects Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. The flaw, categorized under CWE-288, permits remote attackers to circumvent authentication controls in the product.

A remote unauthenticated attacker can exploit the issue over the network to create arbitrary administrative accounts, resulting in full administrative access to the affected Ivanti Sentry instance. The vulnerability carries a CVSS 3.1 base score of 9.9, reflecting its high impact on confidentiality, integrity, and availability in a scoped environment.

The referenced Ivanti security advisory addresses both CVE-2026-10523 and a related issue, directing administrators to upgrade to the fixed releases R10.5.2, R10.6.2, or R10.7.1 to remediate the authentication bypass.

EPSS for the CVE remains flat at 0.0906 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Authentication bypass in public-facing Ivanti Sentry directly enables remote exploitation (T1190) and creation of local admin accounts (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

ivanti
standalone sentry
10.7.0 · ≤ 10.5.2 · 10.6.0 — 10.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control policies to block unauthenticated creation of administrative accounts.

prevent

Requires identification and authentication of users before permitting any account management actions.

prevent

Restricts account creation privileges and monitors privileged account provisioning to limit abuse from bypassed authentication.

References