Critical Ivanti Sentry flaw allows root-level remote code execution (CVE-2026-10520)
Ivanti has patched two critical vulnerabilities (CVE-2026-10520 and CVE-2026-10523) in Ivanti Sentry and has urged customers to implement the fix right away.
Though the vulnerabilities are not known to be actively exploited, security researchers have already released technical details about the former, which may be used by attackers to craft a working exploit.
About Ivanty Sentry and the vulnerabilities
Ivanti Sentry is a security gateway that acts as a gatekeeper between mobile devices outside of the corporate network and a company’s internal systems (e.g., email servers, internal applications).
Ivanti Sentry is usually reachable from the internet, though it’s often deployed on an isolated subnetwork of the corporate network, to prevent attackers from using it for lateral movement into the latter.
Unfortunately, compromising Sentry allows attackers to expose credentials, session tokens, and impersonate legitimate users, thus gaining access the organizations’ apps and email servers.
Both of the fixed flaws are critical: CVE-2026-10520 is an OS command injection vulnerability that can allow remote unauthenticated users to achieve root-level remote code execution, and CVE-2026-10523 an authentication bypass flaw that allows them to create admin accounts on a vulnerable device.
WatchTowr researchers have compared a vulnerable and patched version of Ivanti Sentry, and found that CVE-2026-10520 arises from Sentry having an API that’s designed to accept internal configuration commands, but accepts a command from anyone who could reach it over the internet, without having to authenticate first.
Check your exposure and patch
CVE-2026-10520 and CVE-2026-10523 affect Ivanty Sentry versions 10.5.1, 10.6.1, 10.7.0 and prior, and have been fixed in versions 10.5.2, 10.6.2 and 10.7.1.
WatchTowr researchers have released a script that defenders can used to determine whether their environment is vulnerable.
Ivanti has also shipped fixes for two high-severity vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
While EPMM flaws are regularly exploited by attackers, the only Sentry vulnerability known to have been leveraged by attackers is CVE-2023-38035, an authentication bypass bug that was exploited as a zero-day in 2023.