Max severity Ivanti Sentry vulnerability now exploited in attacks

Summary

Attackers are actively exploiting a maximum-severity vulnerability (CVE-2026-10520) in Ivanti Sentry, a security gateway appliance. The flaw allows for OS command injection, enabling attackers to execute code with root privileges on internet-exposed gateways. Despite Ivanti patching the vulnerability, Shadowserver reported that many exposed instances were already backdoored shortly after the patch release.

Full text

Max severity Ivanti Sentry vulnerability now exploited in attacks By Sergiu Gatlan June 11, 2026 02:20 AM 0 Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways. Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices. Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1. While the company said at the time that it had no evidence of in-the-wild exploitation, the Shadowserver nonprofit security organization reported the next day that attackers had already backdoored most of the Sentry gateways exposed online. The Internet security watchdog also added that, while its scans detect only a very limited number of exposed Sentry instances, there are likely more due to its search engine being blocklisted. "We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today. We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to Saudi NCA for the tip!). However, all remaining likely compromised too," Shadowserver warned. "While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised." Ivanti Sentry admin portals exposed online (Shadowserver) Ivanti has yet to update the security advisory issued on Tuesday, which still states that "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure." ​An Ivanti spokesperson was not immediately available for comment when BleepingComputer reached out today for further details on these ongoing attacks. Hackers often target Ivanti security flaws because they provide an entry point into targets' enterprise networks, enabling the theft of sensitive customer and corporate data. For instance, Multiple Ivanti zero-days have been exploited in recent years to breach a wide range of targets (such as government agencies worldwide), including two critical Endpoint Manager Mobile (EPMM) vulnerabilities that Ivanti addressed in January after they were exploited as zero-days against a "very limited number of customers." More recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies last month to patch Ivanti systems on their networks after the company warned customers about a high-severity remote code execution EPMM flaw that was abused in zero-day attacks. Over the past several years, CISA has flagged 34 vulnerabilities across various Ivanti products as actively exploited in the wild, with 12 of them also targeted in ransomware attacks. Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Ivanti: Max severity Sentry flaw allows code execution as rootExploit released for Ivanti Sentry bug abused as zero-day in attacksIvanti warns of new actively exploited MobileIron zero-day bugCISA gives feds four days to patch Ivanti flaw exploited as zero-dayIvanti warns of new EPMM flaw exploited in zero-day attacks

Indicators of Compromise

• cve — CVE-2026-10520

Entities