CVSS 10 Ivanti Sentry Bug Hands Hackers Root Access

A CVSS 10 flaw in Ivanti Sentry can let a remote unauthenticated attacker execute commands as root, putting the secure mobile gateway in urgent-patch territory.

Ivanti released fixes for two critical Sentry vulnerabilities on Tuesday, including the maximum-severity CVE-2026-10520 and a separate authentication bypass tracked as CVE-2026-10523, according to BleepingComputer. The company says it has no evidence that either flaw is being exploited in the wild.

“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure,” Ivanti said. “Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise.”

Ivanti patches critical Sentry flaws that can give attackers root access

Ivanti Sentry, formerly MobileIron Sentry, is a gateway appliance that secures traffic between back-end corporate systems and remote mobile devices. That placement makes the top bug especially sensitive: Sentry sits in the path between managed mobile fleets and enterprise services.

The first vulnerability, CVE-2026-10520, is an OS command injection flaw. The supplied vulnerability detail says it allows a remote unauthenticated user to execute arbitrary system commands with root privileges, with total compromise of confidentiality, integrity, and availability of the affected system.

The second flaw, CVE-2026-10523, is an authentication bypass. BleepingComputer reports that unauthenticated attackers can exploit it remotely to create rogue administrative accounts and gain full administrative access.

Ivanti fixed both issues in Sentry R10.5.2, R10.6.2, and R10.7.1. Versions before those releases are affected.

The CVSS score for CVE-2026-10520 is listed as 10, the maximum possible severity. A CVSS score for CVE-2026-10523 was not included in the supplied material, though Ivanti classifies it as critical.

Ivanti’s public message is narrow: upgrade now. The source material does not cite separate workaround steps, hardening instructions, or indicators of compromise.

Root code execution on Ivanti Sentry could expose mobile access gateways

Root-level remote code execution is the worst version of this class of bug. If exploited, CVE-2026-10520 could let an attacker run operating system commands as the most privileged user on the appliance.

XOOMAR analysis: that matters because Sentry isn’t a random internal application server. It brokers access between mobile devices and back-end corporate systems. A compromised gateway could become a foothold for tampering with gateway behavior, inspecting traffic paths, changing configurations, or staging further movement, depending on the environment.

The authentication bypass creates a different but still dangerous route. A rogue administrative account can give an attacker a persistent management path, even without direct command execution at the first step.

The combination is ugly for defenders:

• Privilege: The top flaw reaches root, not just an application user.
• Access: Both flaws are described as remotely exploitable, and the supplied detail says CVE-2026-10520 requires no authentication.
• Control plane risk: CVE-2026-10523 can create arbitrary administrative accounts.
• Visibility gap: Ivanti says there is no known public exploitation that would produce a ready-made IOC list.

Ivanti has been under pressure before. BleepingComputer notes that CISA ordered U.S. federal agencies in May to patch Ivanti devices after the company warned customers about a high-severity remote code execution vulnerability in Endpoint Manager Mobile exploited in zero-day attacks. Ivanti also addressed two critical EPMM vulnerabilities in January after they were exploited as zero-days against a “very limited number of customers.”

That recent history doesn’t prove these Sentry flaws are being abused. Ivanti says they aren’t, based on what it knows at disclosure. But it does explain why defenders won’t treat another critical Ivanti gateway bug as routine maintenance.

For teams already buried in patch queues, this lands in the same operational category as the pressure described in XOOMAR’s 208 CVEs Turn Microsoft Patch Tuesday Into a Fire Drill: the security work starts with asset inventory, not with the advisory PDF. Engineering teams reviewing how code and configuration changes move through their environments may also find useful context in Private AI Code Assistants Face the Code Leak Test, though this Sentry case is an appliance exposure issue, not an AI coding-tool leak.

Security teams should update Ivanti Sentry and check for signs of abuse

The immediate task is blunt: find every Ivanti Sentry instance, confirm its version, and move affected systems to R10.5.2, R10.6.2, or R10.7.1. Then verify the update actually completed.

XOOMAR analysis: for internet-reachable or broadly reachable Sentry deployments, this should be handled as an urgent patch window. A root-level unauthenticated command injection bug gives attackers too much upside if exploit code appears.

Post-patch review should focus on changes that would make sense after either vulnerability. That means checking for unexpected admin accounts, unusual authentication events, suspicious configuration changes, new files, unknown processes, and odd outbound connections from the appliance.

Security teams should also preserve relevant logs before rotation or cleanup. Ivanti has not provided a known IOC list in the supplied material, so local telemetry may matter if later guidance narrows the hunt.

Ivanti says it is not aware of exploitation at disclosure time. That’s good news, but it’s not a reason to wait.

The next watch item is whether Ivanti or security researchers publish deeper exploitability notes, detection guidance, or indicators tied to CVE-2026-10520 and CVE-2026-10523. Until then, exposed Sentry systems running older releases belong at the front of the patch queue.

Impact Analysis

• A CVSS 10 flaw gives remote attackers a path to execute commands as root on affected Ivanti Sentry systems.
• Sentry sits between mobile devices and enterprise services, making compromise especially risky for corporate environments.
• Ivanti says there is no known exploitation, but affected versions before R10.5.2, R10.6.2, and R10.7.1 need urgent patching.