INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Ivanti Sentry Flaw Exploited Vulnerability Patching Required

| 2026-06-12 18:47 CRITICAL HIGH
JSON
Executive Summary AI-generated
The Ivanti Sentry flaw, tracked as CVE-2026-10520, has been added to the US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog. This critical vulnerability allows remote code execution with root privileges, posing a significant threat to organizations' internal systems and mobile devices. Researchers have identified active attacks on internet-exposed Sentry gateways, highlighting the need for prompt patching by June 14. Despite Ivanti's initial report of no evidence of active attacks, researchers continue to find backdoored gateways shortly after security updates were released. The vulnerability sits in a sensitive position within enterprise environments, making it an attractive target for threat actors.
Technical Mitigations AI-generated
* Implement a secure patching schedule for Ivanti Sentry, with a deadline of June 14, 2026. * Configure mTLS (mutual transport layer security) on EPMM-managed Sentry appliances to protect vulnerable APIs from remote code execution. * Ensure that MDM-managed Sentry appliances are not exposed to the internet and use secure management interfaces instead. * Monitor Ivanti Sentry instances for signs of exploitation and take action immediately if a threat is detected, such as blocking access to the management port 8443.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-10520CVE-2026-10520 CVE-2026-10523CVE-2026-10523 CVE-2026-1340CVE-2026-1340
Target & Sectors
SA
mediamedia governmentgovernment
Incident Timeline
‎2026/05/12
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered the patching of Ivanti systems by June 14 due to a high-severity remote code execution flaw in Remote Code Execution Management Module (EPMM).
infrastructure Ivanti
" More recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies last month to patch Ivanti systems on their networks after the company warned customers about a high-severity remote code execution EPMM flaw that was abused in zero-day attacks.
tactic Remote Code Execution
" More recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies last month to patch Ivanti systems on their networks after the company warned customers about a high-severity remote code execution EPMM flaw that was abused in zero-day attacks.
attribution EPMM
" More recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies last month to patch Ivanti systems on their networks after the company warned customers about a high-severity remote code execution EPMM flaw that was abused in zero-day attacks.
‎2026/06/10
Cybersecurity vendor WatchTowr published a technical analysis of the Ivanti Sentry flaw, which was added to its Known Exploited Vulnerabilities catalog.
vulnerability CVE-2026-10520
Public PoC for CVE-2026-10520 Triggers Exploitation Cybersecurity vendor WatchTowr yesterday published a technical analysis of the flaw along with a PoC exploit.
organisation WatchTowr
Public PoC for CVE-2026-10520 Triggers Exploitation Cybersecurity vendor WatchTowr yesterday published a technical analysis of the flaw along with a PoC exploit.
infrastructure Ivanti
"Ivanti Sentry often sits in a sensitive position in enterprise environments, acting as a control point for mobile and device access," SOCRadar's research team wrote in a blog post yesterday.
‎June 11, 2026
Ivanti discovered a CVE in its Sentry appliance management system using advanced language model (LLM) technology.
infrastructure Ivanti
Ivanti Neurons for MDM managed Sentry appliances should not have the vulnerable API exposed to the internet as it is the management interface.
Ivanti discovered this CVE with the use of advanced LLM  which we have begun integrating into our product security processes.
organisation MDM
Ivanti Neurons for MDM managed Sentry appliances should not have the vulnerable API exposed to the internet as it is the management interface.
organisation API
Ivanti Neurons for MDM managed Sentry appliances should not have the vulnerable API exposed to the internet as it is the management interface.
organisation LLM
Ivanti discovered this CVE with the use of advanced LLM  which we have begun integrating into our product security processes.
organisation CVE
While this CVE carries a CVSS score of 10, the risk posed to customers is decreased significantly based on deployment and configuration.
organisation CVSS
While this CVE carries a CVSS score of 10, the risk posed to customers is decreased significantly based on deployment and configuration.
‎Thursday, June 11
Threat actors used Ivanti Sentry flaw to target CISA.
infrastructure Ivanti
An Ivanti spokesperson told Security Affairs: Ivanti updated  the Security Advisory for Sentry on Thursday, June 11, 2026  to reflect the practical risk of CVE-2026-10520.
vulnerability CVE-2026-10520
An Ivanti spokesperson told Security Affairs: Ivanti updated  the Security Advisory for Sentry on Thursday, June 11, 2026  to reflect the practical risk of CVE-2026-10520.
organisation Security Affairs
An Ivanti spokesperson told Security Affairs: Ivanti updated  the Security Advisory for Sentry on Thursday, June 11, 2026  to reflect the practical risk of CVE-2026-10520.
‎2026/06/11
Ivanti Sentry's CVE-2026-10520 vulnerability was exploited in a large-scale attack.
infrastructure Ivanti
In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
" ​An Ivanti spokesperson was not immediately available for comment when BleepingComputer reached out today for further details on these ongoing attacks.
vulnerability CVE-2026-10520
In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
organisation Ivanti Sentry CVE-2026-10520
In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
industry Media
In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
organisation the Shadowserver Foundation
In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
organisation PoC
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
organisation BleepingComputer
" ​An Ivanti spokesperson was not immediately available for comment when BleepingComputer reached out today for further details on these ongoing attacks.
‎2026/06/12
Threat actors used Ivanti Sentry to target vulnerable systems via CVE-2026-10520 exploits.
infrastructure Ivanti
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said.
vulnerability CVE-2026-10520
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said.
organisation Ivanti Sentry CVE-2026-10520
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said.
organisation PoC
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said.
‎2026/06/12
Threat actors exploited a maximum-severity vulnerability in Ivanti Sentry, a security gateway appliance that sits between an organization's internal systems and mobile devices.
infrastructure Ivanti
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added Ivanti Sentry flaw, tracked as CVE-2026-10520 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog .
Ivanti Sentry is a secure gateway appliance that sits between an organization’s internal systems and mobile devices, helping companies manage and protect mobile access to corporate resources.
Threat actors have started exploiting the maximum-severity OS command injection flaw in Ivanti Sentry, that allows remote code execution with root privileges.
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Although Ivanti initially reported no evidence of active attacks, researchers at Shadowserver found that many internet-exposed Sentry gateways had already been backdoored shortly after the security updates were released.
Vuln IP data shared in Vulnerable HTTP reporting tagged ‘cve-2026-10520′” Ivanti has not yet updated its advisory to confirm active exploitation of the issue in attacks in the wild.
However, attackers frequently target Ivanti flaws because they can provide direct access into enterprise networks and enable data theft.
Threat actors can specifically target Ivanti Sentry instances mainly because they sit in a very sensitive and powerful position inside enterprise environments.
Ivanti Sentry acts as a gateway between mobile devices and internal corporate systems.
Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure.
Threat actors pounced on a critical Ivanti Sentry vulnerability within 24 hours of its disclosure, using a public proof-of-concept (PoC) exploit in attacks.
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Ivanti disclosed the flaw along with another Sentry vulnerability, CVE-2026-10523, an authentication bypass flaw with a 9.9 CVSS score.
In its security advisory , Ivanti initially said it was unaware of either flaw being exploited in the wild.
"Organizations running affected versions of Ivanti Sentry should remediate these issues on an urgent basis before exploitation in-the-wild begins.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised," Shadowserver said in the post.
Simo Kohonen, Defused founder and CEO, tells Dark Reading that attacks have "pretty much been non-stop active after the release of the Watchtowr PoC." Perhaps more importantly, Kohonen says the exploitation activity Defused observed was notable in that attackers launched the exploit directly against the company's Ivanti honeypots , with no system fingerprinting or similar activity performed up front.
"It suggests whoever acted first had the Ivanti asset landscape mapped out already up front and was able to act very quickly once the vulnerability/exploit information became public," he says.
Related: Claude Fable 5 Doesn't Change the Mythos Security Story Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
The attacks on CVE-2026-10520 are the latest threat facing Ivanti customers.
Most recently, a critical flaw in the Ivanti Endpoint Manager Mobile (EPMM),  CVE-2026-1340, came under widespread exploitation in April .
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04.
Over the past several years, CISA has flagged 35 vulnerabilities across a wide range of Ivanti products that have been abused in attacks, with 12 targeted by ransomware gangs.
Tracked as CVE-2026-10520 , this maximum-severity vulnerability was found in Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness.
On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online.
Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks.
While Shadowserver now tracks just over 50 Sentry admin portals exposed online , it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren't already patched are likely compromised.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised.
" Internet-exposed Ivanti Sentry admin portals (Shadowserver) ​On Thursday, CISA also confirmed that the CVE-2026-10520 vulnerability is now actively exploited in attacks and added it to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Ivanti Sentry instances within three days, as required by Binding Operational Directive (BOD) 26-04.
Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
Patch Tuesday Hits Record 206 CVEs The attacks on CVE-2026-10520 are the latest threat facing Ivanti customers.
For instance, Multiple Ivanti zero-days have been exploited in recent years to breach a wide range of targets (such as government agencies worldwide), including two critical Endpoint Manager Mobile (EPMM) vulnerabilities that Ivanti addressed in January after they were exploited as zero-days against a "very limited number of customers.
Over the past several years, CISA has flagged 34 vulnerabilities across various Ivanti products as actively exploited in the wild, with 12 of them also targeted in ransomware attacks.
Max severity Ivanti Sentry vulnerability now exploited in attacks.
Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways.
Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
" Ivanti Sentry admin portals exposed online (Shadowserver) Ivanti has yet to update the security advisory issued on Tuesday, which still states that "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
Hackers often target Ivanti security flaws because they provide an entry point into targets' enterprise networks, enabling the theft of sensitive customer and corporate data.
Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide.
Multiple other Ivanti zero-days have been exploited in recent years to breach a wide range of targets, including government agencies worldwide, including two other critical EPMM vulnerabilities addressed by Ivanti in January after being exploited as zero-days in attacks against a "very limited number of customers.
Ivanti: Max severity Sentry flaw allows code execution as root.
Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges.
Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
"We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure," Ivanti said.
" In recent years, Ivanti vulnerabilities have often been targeted in attacks because they provide an easy way for cybercriminals to breach targets' enterprise networks and steal sensitive corporate and customer data.
For instance, most recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies in May to patch their Ivanti devices after the company warned customers to immediately patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) that was exploited in zero-day attacks.
Ivanti's IT asset management solutions are used by over 40,000 clients worldwide and are supported by a network of over 7,000 partners and over 3,000 employees.
organisation Ivanti Sentry
Ivanti Sentry is a secure gateway appliance that sits between an organization’s internal systems and mobile devices, helping companies manage and protect mobile access to corporate resources.
Threat actors pounced on a critical Ivanti Sentry vulnerability within 24 hours of its disclosure, using a public proof-of-concept (PoC) exploit in attacks.
While Shadowserver now tracks just over 50 Sentry admin portals exposed online , it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren't already patched are likely compromised.
Max severity Ivanti Sentry vulnerability now exploited in attacks.
Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.
infrastructure 5.2
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
infrastructure 6.2
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
infrastructure 7.1
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
organisation An OS Command Injection
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
organisation Shadowserver
Although Ivanti initially reported no evidence of active attacks, researchers at Shadowserver found that many internet-exposed Sentry gateways had already been backdoored shortly after the security updates were released.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised," Shadowserver said in the post.
While the company said at the time that it had no evidence of in-the-wild exploitation, the Shadowserver nonprofit security organization reported the next day that attackers had already backdoored most of the Sentry gateways exposed online.
organisation IP
Vuln IP data shared in Vulnerable HTTP reporting tagged ‘cve-2026-10520′” Ivanti has not yet updated its advisory to confirm active exploitation of the issue in attacks in the wild.
organisation PoC
Threat actors pounced on a critical Ivanti Sentry vulnerability within 24 hours of its disclosure, using a public proof-of-concept (PoC) exploit in attacks.
organisation Defused
Simo Kohonen, Defused founder and CEO, tells Dark Reading that attacks have "pretty much been non-stop active after the release of the Watchtowr PoC." Perhaps more importantly, Kohonen says the exploitation activity Defused observed was notable in that attackers launched the exploit directly against the company's Ivanti honeypots , with no system fingerprinting or similar activity performed up front.
organisation Unified Endpoint Management
Related: Claude Fable 5 Doesn't Change the Mythos Security Story Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
organisation Ivanti Endpoint
Most recently, a critical flaw in the Ivanti Endpoint Manager Mobile (EPMM),  CVE-2026-1340, came under widespread exploitation in April .
organisation EPMM
Most recently, a critical flaw in the Ivanti Endpoint Manager Mobile (EPMM),  CVE-2026-1340, came under widespread exploitation in April .
organisation CVE-2026-10520
On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online.
organisation BleepingComputer
Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks.
organisation Nightmare-Eclipse Drops
Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
organisation Another Microsoft Exploit
Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
organisation RoguePlanet Risks to
Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
victims 3,000 employees
Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide.
Ivanti's IT asset management solutions are used by over 40,000 clients worldwide and are supported by a network of over 7,000 partners and over 3,000 employees.
victims 40,000 customers
Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide.
Ivanti's IT asset management solutions are used by over 40,000 clients worldwide and are supported by a network of over 7,000 partners and over 3,000 employees.
organisation MobileIron Sentry
Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.
organisation CVSS
The vulnerability, which received a maximum severity CVSS score of 10, enables an unauthenticated attacker to remotely execute code with root privileges.
organisation NCA
We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to Saudi NCA for the tip!).
organisation ShinyHunters
Related: ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed "Given the trivial nature of exploitation and the availability of a public PoC, exploitation in-the-wild is likely to begin," Rapid7 researchers wrote.
organisation Cybersecurity
Cybersecurity vendor Defused also picked up exploitation activity in its scans.
organisation SOCRadar
" In addition to extracting configurations, credentials, and other secrets from a Sentry appliance, SOCRadar said a threat actor could modify access requirements, weaken security controls, move laterally into an organization's environment, depending on where the appliance is located.
organisation Bug Bounty Research Triggers
Related: Bug Bounty Research Triggers ServiceNow Security Alert
Related: Bug Bounty Research Triggers ServiceNow Security Alert "Given the trivial nature of exploitation and the availability of a public PoC, exploitation in-the-wild is likely to begin," Rapid7 researchers wrote.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
financial 04 BOD
"Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
‎June 14, 2026
The U.S. CISA urges federal agencies to patch the Ivanti Sentry vulnerability by June 14, 2026.
‎June 14
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14.
infrastructure Ivanti
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14.
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog.
attribution Ivanti Sentry
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14.
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog.
attribution Known Exploited
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14.
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog.
tactic T1588.006 - Vulnerabilities
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14.
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog.
Tactical Metrics
Metrics
infrastructure
‎Ivanti
Affected Product
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14.
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added Ivanti Sentry flaw, tracked as CVE-2026-10520 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog .
Ivanti Sentry is a secure gateway appliance that sits between an organization’s internal systems and mobile devices, helping companies manage and protect mobile access to corporate resources.
Threat actors have started exploiting the maximum-severity OS command injection flaw in Ivanti Sentry, that allows remote code execution with root privileges.
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Although Ivanti initially reported no evidence of active attacks, researchers at Shadowserver found that many internet-exposed Sentry gateways had already been backdoored shortly after the security updates were released.
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
Vuln IP data shared in Vulnerable HTTP reporting tagged ‘cve-2026-10520′” Ivanti has not yet updated its advisory to confirm active exploitation of the issue in attacks in the wild.
However, attackers frequently target Ivanti flaws because they can provide direct access into enterprise networks and enable data theft.
Threat actors can specifically target Ivanti Sentry instances mainly because they sit in a very sensitive and powerful position inside enterprise environments.
Ivanti Sentry acts as a gateway between mobile devices and internal corporate systems.
An Ivanti spokesperson told Security Affairs: Ivanti updated  the Security Advisory for Sentry on Thursday, June 11, 2026  to reflect the practical risk of CVE-2026-10520.
Ivanti Neurons for MDM managed Sentry appliances should not have the vulnerable API exposed to the internet as it is the management interface.
Ivanti discovered this CVE with the use of advanced LLM  which we have begun integrating into our product security processes.
In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure.
Threat actors pounced on a critical Ivanti Sentry vulnerability within 24 hours of its disclosure, using a public proof-of-concept (PoC) exploit in attacks.
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Ivanti disclosed the flaw along with another Sentry vulnerability, CVE-2026-10523, an authentication bypass flaw with a 9.9 CVSS score.
In its security advisory , Ivanti initially said it was unaware of either flaw being exploited in the wild.
"Organizations running affected versions of Ivanti Sentry should remediate these issues on an urgent basis before exploitation in-the-wild begins.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised," Shadowserver said in the post.
Simo Kohonen, Defused founder and CEO, tells Dark Reading that attacks have "pretty much been non-stop active after the release of the Watchtowr PoC." Perhaps more importantly, Kohonen says the exploitation activity Defused observed was notable in that attackers launched the exploit directly against the company's Ivanti honeypots , with no system fingerprinting or similar activity performed up front.
"It suggests whoever acted first had the Ivanti asset landscape mapped out already up front and was able to act very quickly once the vulnerability/exploit information became public," he says.
Related: Claude Fable 5 Doesn't Change the Mythos Security Story Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
"Ivanti Sentry often sits in a sensitive position in enterprise environments, acting as a control point for mobile and device access," SOCRadar's research team wrote in a blog post yesterday.
The attacks on CVE-2026-10520 are the latest threat facing Ivanti customers.
Most recently, a critical flaw in the Ivanti Endpoint Manager Mobile (EPMM),  CVE-2026-1340, came under widespread exploitation in April .
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04.
Over the past several years, CISA has flagged 35 vulnerabilities across a wide range of Ivanti products that have been abused in attacks, with 12 targeted by ransomware gangs.
CISA orders feds to patch actively exploited Ivanti flaw by Sunday.
Tracked as CVE-2026-10520 , this maximum-severity vulnerability was found in Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness.
On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online.
Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks.
While Shadowserver now tracks just over 50 Sentry admin portals exposed online , it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren't already patched are likely compromised.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised.
" Internet-exposed Ivanti Sentry admin portals (Shadowserver) ​On Thursday, CISA also confirmed that the CVE-2026-10520 vulnerability is now actively exploited in attacks and added it to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Ivanti Sentry instances within three days, as required by Binding Operational Directive (BOD) 26-04.
Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems.
Patch Tuesday Hits Record 206 CVEs The attacks on CVE-2026-10520 are the latest threat facing Ivanti customers.
For instance, Multiple Ivanti zero-days have been exploited in recent years to breach a wide range of targets (such as government agencies worldwide), including two critical Endpoint Manager Mobile (EPMM) vulnerabilities that Ivanti addressed in January after they were exploited as zero-days against a "very limited number of customers.
Over the past several years, CISA has flagged 34 vulnerabilities across various Ivanti products as actively exploited in the wild, with 12 of them also targeted in ransomware attacks.
Max severity Ivanti Sentry vulnerability now exploited in attacks.
Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways.
Formerly known as MobileIron Sentry, the Ivanti Sentry security gateway appliance secures traffic between back-end corporate systems and remote mobile devices.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.
" Ivanti Sentry admin portals exposed online (Shadowserver) Ivanti has yet to update the security advisory issued on Tuesday, which still states that "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
" ​An Ivanti spokesperson was not immediately available for comment when BleepingComputer reached out today for further details on these ongoing attacks.
Hackers often target Ivanti security flaws because they provide an entry point into targets' enterprise networks, enabling the theft of sensitive customer and corporate data.
" More recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies last month to patch Ivanti systems on their networks after the company warned customers about a high-severity remote code execution EPMM flaw that was abused in zero-day attacks.
Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide.
Multiple other Ivanti zero-days have been exploited in recent years to breach a wide range of targets, including government agencies worldwide, including two other critical EPMM vulnerabilities addressed by Ivanti in January after being exploited as zero-days in attacks against a "very limited number of customers.
Ivanti: Max severity Sentry flaw allows code execution as root.
Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges.
Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
"We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure," Ivanti said.
" In recent years, Ivanti vulnerabilities have often been targeted in attacks because they provide an easy way for cybercriminals to breach targets' enterprise networks and steal sensitive corporate and customer data.
For instance, most recently, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies in May to patch their Ivanti devices after the company warned customers to immediately patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) that was exploited in zero-day attacks.
Ivanti's IT asset management solutions are used by over 40,000 clients worldwide and are supported by a network of over 7,000 partners and over 3,000 employees.
Metrics
infrastructure
‎5.2
Software Version
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Metrics
infrastructure
‎6.2
Software Version
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Metrics
infrastructure
‎7.1
Software Version
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ”  reads the advisory .
Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1.
Tracked as CVE-2026-10520 , the maximum-severity vulnerability stems from an OS command injection weakness and was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Metrics
financial
4
Bod
"Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
Metrics
victims
3,000
Employees
Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide.
Ivanti's IT asset management solutions are used by over 40,000 clients worldwide and are supported by a network of over 7,000 partners and over 3,000 employees.
Metrics
victims
40,000
Customers
Ivanti has a network of over 7,000 partners and over 3,000 employees, and its IT asset management solutions are used by over 40,000 customers worldwide.
Ivanti's IT asset management solutions are used by over 40,000 clients worldwide and are supported by a network of over 7,000 partners and over 3,000 employees.
Intelligence Sources
BleepingComputer 2026-06-10
BleepingComputer 2026-06-11
BleepingComputer 2026-06-12
Dark Reading 2026-06-11
BleepingComputer 2026-06-12
Dark Reading 2026-06-11
Security Affairs 2026-06-12