Ivanti has disclosed a second critical vulnerability in its Sentry mobile device management gateway — CVE-2026-10523, an authentication bypass flaw with a CVSS score of 9.9 — that chains with the already-critical CVE-2026-10520 (CVSS 10.0, pre-authentication remote code execution) to achieve complete, unauthenticated control of the appliance. Organisations that deployed the initial Sentry patch for CVE-2026-10520 must apply additional updates; the two vulnerabilities affect overlapping but distinct code paths and no single patch addresses both.
Vulnerability Details
CVE-2026-10523 resides in the Sentry web management interface and allows an unauthenticated remote attacker to bypass the authentication mechanism protecting the administrative API. The flaw arises from an improper session validation check that can be bypassed through a crafted request sequence, granting the attacker access to administrative endpoints without valid credentials.
In isolation, CVE-2026-10523 permits configuration manipulation — a serious concern given that Sentry acts as a policy enforcement gateway for mobile device access to corporate email and application infrastructure. Chained with CVE-2026-10520, which enables pre-authentication remote code execution through the Sentry SuperAdmin API, an attacker gains code execution capabilities requiring no credentials at any stage of the attack chain.
| CVE | CVSS | Type | Patch Status |
|---|---|---|---|
| CVE-2026-10520 | 10.0 | Pre-auth RCE via SuperAdmin API | Patched in 9.18.2 |
| CVE-2026-10523 | 9.9 | Authentication bypass in management API | Patched in 9.19.0 |
Ivanti Sentry versions 9.18.x and earlier are affected by CVE-2026-10523. The corrective release 9.19.0 addresses both CVEs; 9.18.2 addressed only CVE-2026-10520.
Why the Chain Matters
Compound vulnerability chains across related CVEs are particularly dangerous in the period immediately following an initial disclosure. Organisations that treated CVE-2026-10520 as a completed remediation — applying patches and standing down their incident response posture — may have prematurely closed their investigation. CVE-2026-10523 re-opens the attack surface through a different code path that the first patch did not address.
Ivanti Sentry occupies a sensitive position in enterprise architecture: it sits between the internet and internal Exchange, ActiveSync, and application gateway infrastructure, enforcing device compliance and MDM policy. A fully compromised Sentry instance gives attackers the ability to bypass mobile device security controls, intercept ActiveSync communications, and pivot to internal corporate mail and application systems without triggering conventional endpoint detection controls.
Rapid7 identified the companion CVE during analysis of the initial advisory and coordinated disclosure with Ivanti. The four-day gap between CVE-2026-10520’s Patch Tuesday disclosure and CVE-2026-10523’s publication creates a narrow window where organisations may incorrectly believe their remediation is complete.
Recommended Actions
- Apply Ivanti Sentry 9.19.0 immediately — this version addresses both CVE-2026-10520 and CVE-2026-10523; the 9.18.2 patch for CVE-2026-10520 alone is insufficient
- Re-validate Sentry network exposure — the management interface should be accessible only from management VLANs; confirm firewall rules have not drifted since the initial CVE-2026-10520 response
- Review Sentry audit logs for authentication anomalies in the 14 days preceding this advisory — the CVE-2026-10523 code path may have been discovered independently prior to coordinated disclosure
- Brief your MDM team that mobile device compliance enforcement may have been compromised — validate that device policy has not been modified on enrolled devices
- Monitor Ivanti advisories for 30 days following any major Ivanti disclosure; the vendor has a pattern of disclosing companion vulnerabilities in rapid succession, and security teams should maintain elevated vigilance beyond the initial patch cycle
Share this article