Pre-auth OS Command Injection in Ivanti Sentry

This repository is a small, single-purpose Python proof-of-concept for Ivanti Sentry authentication bypass and remote code execution associated with CVE-2026-10520 and CVE-2026-10523. The repo contains only two files: a README with usage/output examples and one Python script that performs the attack. The script is not part of a larger exploitation framework. The main capability is unauthenticated remote command execution against an Ivanti Sentry target. The operator supplies a base URL and an arbitrary command via --cmd. The script constructs a POST request to the Ivanti Sentry endpoint /mics/api/v2/sentry/mics-config/handleMessage with Content-Type application/x-www-form-urlencoded and a crafted message parameter containing an XML-like commandexec structure. It disables TLS certificate verification, optionally supports an HTTP proxy, and does not follow redirects. After sending the request, the script parses the response body and optionally JSON-decodes it. It checks for success markers ('Message handled successfully' and '<result><success>...') and extracts the command output with a regular expression. If extraction succeeds, it reports the target as vulnerable and prints the returned command output; otherwise it reports the target as not vulnerable. Repository structure is minimal and operational: README.md documents the vulnerability and demonstrates exploitation, while watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523.py is the executable entry point. Although described as a 'Detection Artifact Generator,' the code actively triggers command execution on the target, so it functions as a real exploit/verification tool rather than a passive detector.