explaingit

watchtowrlabs/watchtowr-vs-ivanti-sentry-rce-cve-2026-10520-cve-2026-10523

12PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A single Python script that tests whether an Ivanti Sentry server is vulnerable to two critical flaws, CVE-2026-10520 and CVE-2026-10523, which let attackers bypass login and run commands on the server without an account. Built by watchTowr Labs for security teams auditing their own systems.

Mindmap

mindmap
  root((repo))
    What it does
      Auth bypass test
      Remote code check
      Output to terminal
    Tech Stack
      Python script
    Vulnerabilities
      CVE-2026-10520
      CVE-2026-10523
      Ivanti Sentry
    Use Cases
      Self audit
      Patch verification
    Remediation
      Official advisory
      Apply patch
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Point the script at your own Ivanti Sentry server to confirm whether it is vulnerable to authentication bypass before attackers find it.

USE CASE 2

Verify that the official Ivanti security patch was applied correctly by checking that the script can no longer run commands on the server.

USE CASE 3

Generate documented evidence of CVE-2026-10520 or CVE-2026-10523 exposure during a security audit by capturing the terminal output.

Tech stack

Python

Getting it running

Difficulty · easy Time to first run · 5min

Requires a live Ivanti Sentry instance URL to test against.

In plain English

This repository contains a detection tool released by watchTowr Labs targeting two security vulnerabilities in Ivanti Sentry, a product many organizations use to manage access to corporate email and other services on mobile devices. The vulnerabilities are tracked as CVE-2026-10520 and CVE-2026-10523, and together they allow an attacker to bypass authentication and then run arbitrary commands on the server without needing a valid account. The tool is a single Python script. You point it at a target URL and give it a command to run. If the target system is unpatched, it sends a specially crafted request to a specific API endpoint, the server executes the command, and the output is printed back. The README includes an example showing the server responding with its Linux kernel version, which confirms the command executed successfully on the remote machine. watchTowr frames this as a detection artifact generator, meaning it is intended for security teams to verify whether their own Ivanti Sentry installations are vulnerable before an attacker finds them. The tool does not hide what it is doing: it prints the target, the command, and the result clearly in the terminal. Remediation means applying the patch from the official Ivanti security advisory. The README links directly to that advisory. Anyone running Ivanti Sentry should check whether they have applied the fix, because this tool makes it straightforward for anyone to test an exposed instance.

Copy-paste prompts

Prompt 1
My organization runs Ivanti Sentry at https://sentry.example.com. Walk me through running the watchTowr detection script to check if it is vulnerable to CVE-2026-10520 or CVE-2026-10523.
Prompt 2
Explain in plain terms how CVE-2026-10520 and CVE-2026-10523 work in Ivanti Sentry and why an attacker without any account can still run commands on the server.
Prompt 3
Write a Python wrapper that takes a list of Ivanti Sentry URLs, runs the watchTowr RCE detection script against each one, and saves the results to a CSV file.
Prompt 4
What steps should I take right away if the watchTowr Ivanti Sentry script confirms my server is vulnerable, before I can apply the patch?
Open on GitHub → Explain another repo

← watchtowrlabs on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.