Back

Ivanti Sentry Vulnerabilities Allow Remote Code Execution and Admin Access

Severity: High (Score: 74.0)

Sources: Theregister, Csoonline, Feeds.4Sysops, Scworld, vuldb.com

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: ivanti, sentry, flaw, code, root, enables, remote

Severity indicators: flaw, ot

Summary

Ivanti has patched two critical vulnerabilities in its Sentry secure mobile gateway, formerly MobileIron Sentry. The first, CVE-2026-10520, is an OS command injection flaw allowing remote code execution with root privileges, rated 10.0 on the CVSS scale. The second, CVE-2026-10523, is an authentication bypass vulnerability enabling unauthenticated attackers to create rogue administrative accounts, rated 9.9. Both vulnerabilities were disclosed on June 9, 2026, and patches were released on June 10, 2026, with no evidence of active exploitation reported at that time. However, researchers have already published proof-of-concept exploits, increasing the urgency for organizations to apply the patches. The vulnerabilities affect Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. Given the critical nature of these flaws, immediate action is recommended to mitigate potential risks. Key Points: • CVE-2026-10520 allows remote code execution with root privileges, rated CVSS 10.0. • CVE-2026-10523 enables unauthenticated attackers to create rogue admin accounts, rated CVSS 9.9. • Patches are available for affected Ivanti Sentry versions; immediate upgrading is advised.

Detailed Analysis

**Impact** Ivanti Sentry, a secure mobile gateway used by enterprises worldwide to protect mobile device traffic and backend systems, is affected by two critical vulnerabilities. Over 40,000 clients and thousands of partners relying on this product face risks of full system compromise, including unauthorized administrative access and root-level code execution. Successful exploitation could lead to data exfiltration, lateral movement, persistent access, and disruption of enterprise mobile and backend infrastructure security controls. **Technical Details** The vulnerabilities include CVE-2026-10520, an unauthenticated OS command injection flaw with a CVSS score of 10.0, allowing remote code execution as root via a vulnerable Apache Tomcat API endpoint. CVE-2026-10523 is an authentication bypass (CVSS 9.9) enabling attackers to create rogue administrative accounts remotely. Exploitation requires sending specially crafted messages to the exposed API, affecting Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. Proof-of-concept code for CVE-2026-10520 is publicly available, increasing the likelihood of exploitation. No confirmed active exploitation or public IOCs have been reported at disclosure. **Recommended Response** Administrators must urgently upgrade Ivanti Sentry to versions R10.5.2, R10.6.2, or R10.7.1 to remediate both vulnerabilities. Organizations should enhance monitoring for suspicious activity related to unauthorized account creation and unusual command execution on Sentry appliances. Blocking access to the vulnerable API endpoint and applying updated Apache Tomcat configurations are advised. In the absence of confirmed exploitation indicators, focus on proactive patching and incident response readiness.

Source articles (15)

  • Ivanti Sentry Pre-Auth RCE Scores Perfect CVSS 10 — Aiweekly.Co · 2026-06-10
    Government advisory adds official exploitation-status assessment: no active exploitation at disclosure, PoC expected soon, medium probability but high damage potential, lists all three patched branche…
  • Ivanti: Max severity Sentry flaw allows code execution as root — Bleepingcomputer · 2026-06-10
    Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attack…
  • CC-4795 — Digital.Nhs.Uk · 2026-06-10
    If exploited, two critical vulnerabilities could allow for unauthenticated OS command injection or authentication bypass If exploited, two critical vulnerabilities could allow for unauthenticated OS c…
  • Ncsc 2026 0180 — vulnerability.circl.lu · 2026-06-10
    An OS Command Injection vulnerability in Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1 enables remote unauthenticated attackers to execute code with root privileges. Detection rules ar…
  • Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9 — Theregister · 2026-06-10
    It's patch time for Ivanti customers again after the security shop disclosed another two critical vulnerabilities in one of its products. Both bugs affect Ivanti Sentry, a mobile gateway that forms pa…
  • Critical Ivanti Sentry flaw allows root-level remote code execution (CVE-2026-10520) — Feeds2.Feedburner · 2026-06-10
    Ivanti has patched two critical vulnerabilities (CVE-2026-10520 and CVE-2026-10523) in Ivanti Sentry and has urged customers to implement the fix right away. Though the vulnerabilities are not known t…
  • Ivanti releases urgent patches for critical Sentry and EPMM vulnerabilities — Feeds.4Sysops · 2026-06-10
    Ivanti has issued emergency updates for its Sentry mobile gateway and Endpoint Manager Mobile (EPMM) platforms to address several critical security flaws. The most severe issue, CVE-2026-10520, is an…
  • Ivanti: Max severity Sentry flaw allows code execution as root — Radar.Offseq · 2026-06-10
    Ivanti patched two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity OS command injection flaw that allows remote code execution with root privileges.…
  • Ivanti releases patches for critical Sentry vulnerabilities | brief — Scworld · 2026-06-10
    Based on information from Bleeping Computer, Ivanti has released patches for two critical vulnerabilities in its Sentry secure mobile gateway solution. One of the flaws is a maximum-severity vulnerabi…
  • CRITICAL ROOT — Ccb.Belgium.Be · 2026-06-10
    Ivanti Sentry, formerly known as MobileIron Sentry, is an inline gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise systems. It typically sits between c…
  • Ivanti patches critical Sentry flaws that lead to full device takeover — Csoonline · 2026-06-10
    IT software provider Ivanti fixed two vulnerabilities in Ivanti Sentry, a secure mobile gateway appliance formerly called MobileIron Sentry. The flaws could allow unauthenticated remote attackers to g…
  • Status Published CVE-2026-10520 An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution — www.cve.org · 2026-06-10
  • Status Published CVE-2026-10523 An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access — www.cve.org · 2026-06-10
  • More Evidence That Words Dont Mean What We Thought They Meant Ivanti Sentry Pre Auth Os Command Injection Cve 2026 10520 — labs.watchtowr.com · 2026-06-10
  • CVE 2026 10523 — vuldb.com · 2026-06-10

Timeline

  • 2026-06-09 — CVE-2026-10520 and CVE-2026-10523 published: Ivanti disclosed two critical vulnerabilities in Sentry, allowing remote code execution and authentication bypass.
  • 2026-06-10 — Patches released for vulnerabilities: Ivanti released updates for Sentry versions R10.5.2, R10.6.2, and R10.7.1 to address the vulnerabilities.
  • 2026-06-10 — Proof-of-concept exploit released: Security researchers published a proof-of-concept for CVE-2026-10520, increasing the urgency for patching.

CVEs

  • CVE-2026-10520
  • CVE-2026-10523

Related entities

  • Authentication Bypass (Attack Type)
  • Zero-day Exploit (Attack Type)
  • OS Command Injection (Vulnerability)
  • Ivanti (Company)
  • SolarWinds (Company)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • Government (Industry)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1136.001 - Local Account (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • Apache Tomcat (Platform)
  • Ivanti Sentry (Platform)
  • Microsoft Exchange (Platform)
  • MobileIron Sentry (Platform)
  • Sentry (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed