Two critical vulnerabilities have been identified in Ivanti Sentry that could allow unauthenticated remote attackers to gain complete control of affected systems, CVE-2026-10520 and CVE-2026-10523.
CVE-2026-10520 is an OS Command Injection vulnerability that allows a remote unauthenticated attacker to execute arbitrary operating system commands with root-level privileges.
CVE-2026-10523 is an Authentication Bypass vulnerability that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access to the appliance.
When combined, these vulnerabilities provide a direct path to complete compromise of the Ivanti Sentry appliance. An attacker could establish persistence, modify security configurations, access managed mobile devices, steal credentials, deploy malware, or pivot further into the enterprise environment.
Ivanti Sentry is commonly deployed as a mobile device management (MDM) gateway and often maintains trusted access to internal systems, making successful exploitation particularly dangerous.
While there are currently no reports of active exploitation and neither vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog, organizations should expect increased scanning and exploitation attempts due to the critical severity and public disclosure of these vulnerabilities.
Key characteristics
CVE-2026-10520
- Attack Vector: Remote / Over-the-network
- User Interaction: None (unauthenticated)
- Impact: Root-level remote code execution; complete system compromise
- Exploit Method: OS Command Injection
- Affected Product: Ivanti Sentry
CVE-2026-10523
- Attack Vector: Remote / Over-the-network
- User Interaction: None (unauthenticated)
- Impact: Administrative account creation and full administrative access
- Exploit Method: Authentication Bypass (CWE-288)
- Affected Product: Ivanti Sentry
Supporting metrics
Vendor statement
Ivanti has released security updates addressing both vulnerabilities and strongly recommends immediate remediation.
Affected versions include:
Ivanti Sentry R10.5.x prior to R10.5.2
Ivanti Sentry R10.6.x prior to R10.6.2
Ivanti Sentry R10.7.x prior to R10.7.1
Customers should upgrade to the fixed versions as soon as possible and review appliance access controls.
Recommendations from the One Source SOC
- Immediate Patching: Upgrade Ivanti Sentry systems to R10.5.2, R10.6.2, R10.7.1, or later immediately.
- Restrict External Exposure: Ensure Sentry management interfaces are not directly accessible from the public Internet.
- Review Administrative Accounts: Investigate recently created administrator accounts for unauthorized activity.
- Credential Rotation: Rotate administrative credentials following patching and validation activities.
- Enable Enhanced Monitoring: Review authentication logs, administrative actions, and system activity for signs of compromise.
- Network Segmentation: Isolate management infrastructure from user and production network segments where possible.
- Threat Hunting: Search for indicators of command execution, unauthorized account creation, suspicious configuration changes, and anomalous administrator activity.
- Access Control Hardening: Enforce multi-factor authentication and least-privilege administrative access policies.
Need assistance?
For help assessing the impact of this vulnerability or implementing mitigation strategies, please contact the One Source SOC here.
