Back

Critical Ivanti Sentry Vulnerabilities Allow Remote Code Execution and Admin Access

Severity: High (Score: 72.0)

Sources: Aiweekly.Co, Bleepingcomputer, www.cve.org, Digital.Nhs.Uk, labs.watchtowr.com

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: ivanti, sentry, flaw, code, root, enables, remote

Severity indicators: flaw, ot

Summary

Ivanti has disclosed two critical vulnerabilities in its Sentry secure mobile gateway, tracked as CVE-2026-10520 and CVE-2026-10523. The first flaw allows remote attackers to execute code with root privileges via OS command injection, while the second enables unauthenticated users to create rogue admin accounts. Both vulnerabilities affect Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. Ivanti has released patches and stated there is currently no evidence of exploitation in the wild. However, the potential for exploitation is high, as security researchers have already developed proof-of-concept exploits. The vulnerabilities are particularly concerning given Ivanti's history of being targeted in cyberattacks. Organizations using Ivanti Sentry are urged to apply the patches immediately to mitigate risks. Key Points: • Two critical vulnerabilities in Ivanti Sentry allow remote code execution and admin access. • Patches are available for affected versions R10.5.2, R10.6.2, and R10.7.1. • No active exploitation has been confirmed, but proof-of-concept exploits exist.

Detailed Analysis

**Impact** Ivanti Sentry users, including over 40,000 clients worldwide across multiple sectors, are affected by two critical vulnerabilities enabling remote code execution with root privileges and unauthorized administrative access. The flaws threaten enterprise networks by allowing attackers to gain full control, risking sensitive corporate and customer data exposure. The NHS England National CSOC assesses exploitation as highly likely, though no active exploitation has been confirmed at disclosure. The vulnerabilities impact multiple Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. **Technical Details** The primary vulnerability (CVE-2026-10520) is an unauthenticated OS command injection via an exposed API running under Apache Tomcat, allowing remote attackers to execute arbitrary commands as root. The second (CVE-2026-10523) is an authentication bypass enabling attackers to create rogue admin accounts remotely. Both affect Ivanti Sentry versions before the patched releases. Exploitation occurs at the initial access and privilege escalation stages of the kill chain. Proof-of-concept code for CVE-2026-10520 has been published, increasing risk of exploitation. **Recommended Response** Apply Ivanti Sentry updates immediately by upgrading to versions R10.5.2, R10.6.2, or R10.7.1 to remediate both vulnerabilities. Harden Apache Tomcat configurations to restrict unauthenticated access to APIs. Deploy detection rules from sources such as Rulezet and monitor for indicators of compromise related to command injection and unauthorized admin account creation. Maintain heightened vigilance for exploitation attempts given the availability of proof-of-concept exploits.

Source articles (8)

  • Ivanti Sentry Pre-Auth RCE Scores Perfect CVSS 10 — Aiweekly.Co · 2026-06-10
    Government advisory adds official exploitation-status assessment: no active exploitation at disclosure, PoC expected soon, medium probability but high damage potential, lists all three patched branche…
  • Ivanti: Max severity Sentry flaw allows code execution as root — Bleepingcomputer · 2026-06-10
    Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attack…
  • CC-4795 — Digital.Nhs.Uk · 2026-06-10
    If exploited, two critical vulnerabilities could allow for unauthenticated OS command injection or authentication bypass If exploited, two critical vulnerabilities could allow for unauthenticated OS c…
  • Ncsc 2026 0180 — vulnerability.circl.lu · 2026-06-10
    An OS Command Injection vulnerability in Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1 enables remote unauthenticated attackers to execute code with root privileges. Detection rules ar…
  • Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9 — Theregister · 2026-06-10
    It's patch time for Ivanti customers again after the security shop disclosed another two critical vulnerabilities in one of its products. Both bugs affect Ivanti Sentry, a mobile gateway that forms pa…
  • Status Published CVE-2026-10520 An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution — www.cve.org · 2026-06-10
  • Status Published CVE-2026-10523 An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access — www.cve.org · 2026-06-10
  • More Evidence That Words Dont Mean What We Thought They Meant Ivanti Sentry Pre Auth Os Command Injection Cve 2026 10520 — labs.watchtowr.com · 2026-06-10

Timeline

  • 2026-06-09 — CVE-2026-10520 and CVE-2026-10523 published: Ivanti disclosed two critical vulnerabilities affecting its Sentry product, allowing remote code execution and admin account creation.
  • 2026-06-10 — Patches released for Ivanti Sentry: Ivanti released updates to address the critical vulnerabilities, urging customers to upgrade immediately.
  • 2026-06-10 — Proof-of-concept exploit released: Security researchers published a proof-of-concept for CVE-2026-10520, indicating high likelihood of exploitation.

CVEs

  • CVE-2026-10520
  • CVE-2026-10523

Related entities

  • Zero-day Exploit (Attack Type)
  • Ivanti (Company)
  • SolarWinds (Company)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • Government (Industry)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1136.001 - Local Account (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • Apache Tomcat (Platform)
  • Ivanti Sentry (Platform)
  • MobileIron Sentry (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed