Ivanti Sentry is facing active exploitation attempts following the public release of proof-of-concept (PoC) code targeting a critical OS command injection vulnerability tracked as CVE-2026-10520.
The flaw, along with a second critical issue (CVE-2026-10523), was disclosed by Ivanti on June 9, 2026, and both vulnerabilities affected multiple versions of the Sentry mobile device management gateway.
Although Ivanti stated in its initial advisory that there was no evidence of active exploitation at the time of disclosure, threat intelligence from Shadowserver indicates that attackers quickly weaponized the PoC, triggering widespread scanning and compromise attempts across exposed systems within hours.
Ivanti Command Injection Flaw
CVE-2026-10520 is a remote, unauthenticated OS command injection vulnerability (CWE-78) carrying a maximum CVSS score of 10.0. The flaw allows attackers to execute arbitrary commands with root-level privileges on affected appliances, requiring no authentication or user interaction to exploit.
The vulnerability impacts Ivanti Sentry versions prior to 10.5.2, 10.6.2, and 10.7.1. Its network-exploitable, zero-interaction nature makes it an exceptionally attractive target for opportunistic threat actors and botnet operators.
Security researchers warn that successful exploitation can lead to full system takeover, persistent backdoor deployment, and lateral movement within enterprise environments.
The second vulnerability, CVE-2026-10523, is an authentication bypass flaw (CWE-288) with a CVSS score of 9.9. It enables unauthenticated attackers to create arbitrary administrative accounts, effectively granting complete control over the Sentry appliance.
When chained with CVE-2026-10520, attackers can achieve privileged access and execute commands without restriction, significantly amplifying the combined attack surface and overall impact severity. Bryan Lam was credited for responsibly disclosing CVE-2026-10523.
Shortly after PoC code became publicly available, Shadowserver reported a surge in exploitation attempts observed in the wild. Their telemetry identified at least 19 vulnerable Ivanti Sentry instances during internet-wide scans, with two confirmed as already backdoored at the time of reporting.
Researchers cautioned that the remaining exposed systems are highly likely to have been compromised as well, underscoring the rapid exploitation lifecycle commonly seen with critical edge-device vulnerabilities.
The incident mirrors previous attack patterns targeting Ivanti products, where threat actors, including nation-state groups, moved from public disclosure to active compromise within 24 to 48 hours.
Ivanti has released patched versions addressing both vulnerabilities, Sentry 10.5.2, 10.6.2, and 10.7.1, available through the official Ivanti download portal. Organizations are strongly urged to upgrade immediately.
However, given the speed of exploitation, patching alone may be insufficient for systems that were already exposed on the internet. Security teams should conduct thorough compromise assessments, including:
- Reviewing system and authentication logs for anomalous activity
- Identifying unauthorized administrative accounts
- Checking for persistence mechanisms such as web shells or modified configurations
- Restricting external access to Sentry instances where possible
- Monitoring network traffic for lateral movement indicators
Ivanti Sentry, commonly deployed as a gateway for mobile and email traffic, remains a high-value target due to its privileged position within enterprise infrastructure.
This incident reinforces the urgent need for proactive vulnerability management and rapid patch cycles particularly for edge devices that are routinely targeted within hours of public disclosure.
No Comment! Be the first one.