Skip to content
Cyber Breaches
Search
Vulnerability exploitOngoing

Max-severity Ivanti Sentry flaw exploited for root code execution (CVE-2026-10520)

Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Victim
Ivanti Sentry
SectorTechnology
CountryUnited States
CVECVE-2026-10520CVE-2026-10523

On 10 June 2026, Ivanti β€” the Utah-based enterprise IT and security vendor β€” disclosed and patched a pair of critical vulnerabilities in Ivanti Sentry, the gateway appliance (formerly MobileIron Sentry) that brokers access between mobile devices and corporate back-end systems. The headline flaw, CVE-2026-10520, carries the maximum CVSS score of 10.0: an unauthenticated, remote attacker can execute arbitrary operating-system commands as root.

What happened

CVE-2026-10520 is an OS command-injection bug in the ConfigServiceController class of the Sentry web application. Researchers traced it to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage, which parses an attacker-supplied message parameter as an internal configuration command and ultimately runs it as root. A companion flaw, CVE-2026-10523 (CVSS 9.9), is an authentication bypass that lets an attacker create arbitrary administrative accounts on the appliance. Both affect Sentry 10.5.1, 10.6.1, 10.7.0 and earlier, and are fixed in 10.5.2, 10.6.2 and 10.7.1.

Ivanti said it was not aware of active exploitation at the time of disclosure, but real-world attacks followed quickly once public exploit code circulated. The Shadowserver Foundation reported a surge in exploitation attempts and backdoored gateways exposed on the internet, and on 11 June CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities catalog, ordering federal civilian agencies to patch within three days β€” by 14 June 2026 β€” under Binding Operational Directive 26-04.

Why it matters

Sentry sits at the network edge, terminating connections from managed mobile devices, so an unauthenticated path to root on the appliance hands an attacker a beachhead with deep visibility into an organisation's mobility and identity infrastructure. Ivanti's edge products have been a recurring target, and this episode follows the now-familiar pattern in which a patched-but-trivially-exploitable bug is weaponised within hours of a public proof-of-concept β€” leaving defenders who delay measured not in weeks but in days.

Timeline

  1. Ivanti publishes advisories for CVE-2026-10520 (CVSS 10.0) and CVE-2026-10523 (CVSS 9.9) and releases fixed Sentry builds; it states it is not aware of active exploitation at disclosure.

  2. CISA adds CVE-2026-10520 to its Known Exploited Vulnerabilities catalog and orders federal agencies to patch by 14 June; Shadowserver reports backdoored gateways after public exploit code appears.

  3. Deadline for U.S. federal civilian agencies to patch or mitigate under Binding Operational Directive 26-04.

Sources

  1. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/
  2. helpnetsecurity.comhttps://www.helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/
  3. rapid7.comhttps://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry/
  4. csoonline.comhttps://www.csoonline.com/article/4183735/ivanti-patches-critical-sentry-flaws-that-lead-to-full-device-takeover.html
  5. securityaffairs.comhttps://securityaffairs.com/193557/security/u-s-cisa-adds-ivanti-sentry-flaw-to-its-known-exploited-vulnerabilities-catalog-and-urges-patching-by-june-14.html
  6. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/

Related incidents