More Evidence That Words Don’t Mean What We Thought They Mea...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520
• Blog Title: More Evidence That Words Don’t Mean What We Thought They Meant: Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520
• Suggested Section: Network Services Pentesting > 80,443 - Pentesting Web Methodology > Ivanti Sentry / MobileIron Sentry, or Pentesting Web > Command Injection

🎯 Content Summary

Ivanti Sentry pre-authenticated OS command injection: CVE-2026-10520

The post analyzes CVE-2026-10520, a pre-authenticated OS command injection vulnerability in Ivanti Sentry / MobileIron Sentry before R10.5.2, R10.6.2, and R10.7.1. Ivanti described the impact as allowing a remote unauthenticated attacker to achieve root-level remote code execution, with a CVSS score of 10.0.

Ivanti also disclosed CVE-2026-10523, an Auth...

🔧 Technical Details

Patch diffing to find exposed execution sinks: Compare vulnerable and patched appliance packages, especially WAR/JAR files, to identify changed controller logic. In this case, diffing mics.war showed that only mics-core-10.5.1-R10.5.1.jar changed to mics-core-10.5.2-R10.5.2.jar. The changed code was in mics-core/com/mi/middleware/rest/controller/ConfigServiceController.java. Reconstructing the route from the Tomcat context /mics, the Spring controller mapping /api/v2/sentry/mics-config, and the method mapping /handleMessage produced the attack surface: /mics/api/v2/sentry/mics-config/handleMessage.

Abusing exposed configuration command parsers: If an unauthenticated web endpoint accepts a raw string and passes it into an internal configuration service, treat that string as a possible DSL or command language. Here, message is tokenized into co...

🤖 Agent Actions

Done.

Updated

• src/pentesting-web/command-injection.md

What I added

A new section covering the reusable technique behind the Ivanti Sentry bug:

• exposed configuration command parsers / internal command DSLs
• how to patch-diff WAR/JARs to recover hidden execution routes
• how to identify command/module/xpath/value parsers
• how patched hardcoded constants can reveal exploit grammar
• a concise Ivanti Sentry payload shape example
• quick triage notes on 302/auth-gate behavior and reflection-backed execution bridges

Why this location

I chose the existing Command Injection page instead of creating a new Ivanti-specific page, because the useful addition is the general technique: HTTP-exposed internal config-command execution leading to OS command execution.

References added

• watchTowr blog
• Ivanti advisory
• watchTowr detection repo

Validation

• Reviewed diff: only one file changed.
• Tried mdbook build, but mdbook is not installed in this environment (mdbook: command not found).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web Methodology > Ivanti Sentry / MobileIron Sentry, or Pentesting Web > Command Injection".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0