Critical Ivanti Sentry RCE (CVE-2026-10520) – Urgent Vulnerability Alert

A major security alert has been issued for organizations utilizing Ivanti Sentry (formerly known as MobileIron Sentry). A new critical vulnerability, identified as CVE-2026-10520, has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The flaw allows unauthenticated remote attackers to execute arbitrary commands with root privileges, posing a severe risk to enterprise infrastructure.

What is CVE-2026-10520?

CVE-2026-10520 is a critical OS command injection vulnerability discovered in the Ivanti Sentry gateway. Ivanti Sentry serves as a critical junction in enterprise mobility management, acting as a gatekeeper that manages, encrypts, and secures communication between mobile devices and internal enterprise back-end systems. Because it sits at the edge of the network, any compromise of this appliance can lead to deep penetration into internal networks.

The technical root cause of the vulnerability lies within the ConfigServiceController class, specifically the /mics/api/v2/sentry/mics-config/handleMessage API endpoint. Security researchers have found that this endpoint improperly processes user-supplied XML messages. An attacker can craft a malicious request that bypasses input validation and executes operating system commands directly on the host system. Crucially, this vulnerability can be exploited without any prior authentication, making it an extremely attractive target for threat actors.

Severity and Impact

The vulnerability has been assigned a CVSS score of 10.0—the maximum possible rating—by several security researchers, while others have noted it at 9.8. Regardless of the slight variation, the impact is undeniably critical. Achieving root-level Remote Code Execution (RCE) on an unauthenticated endpoint allows an attacker to take full control of the Ivanti Sentry appliance. Once compromised, the appliance can be used to intercept sensitive data, launch further attacks against internal systems, or deploy ransomware.

Given that a proof-of-concept (PoC) exploit became publicly available shortly after disclosure, the barrier to entry for exploiting this flaw is remarkably low. This ease of exploitation, combined with the high value of the target, led to observed in-the-wild attacks, prompting CISA to mandate federal agencies to patch the flaw by June 14, 2026.

Affected Systems and Software

Organizations should immediately check their version of Ivanti Sentry. The vulnerability affects several release branches:

• Ivanti Sentry version 10.5.1 and prior
• Ivanti Sentry version 10.6.1 and prior
• Ivanti Sentry version 10.7.0 and prior

It is important to note that unsupported or end-of-life (EOL) versions of Sentry are also likely vulnerable and may not receive standard patches. Organizations running older versions should prioritize upgrading to a supported version immediately.

Recommended Mitigation and Patching

Ivanti has released critical security updates to address this vulnerability. The fix involves removing the dangerous control that the unauthenticated endpoint provided to the underlying OS and adding an additional authentication layer via Apache configuration.

To secure your environment, you must update to one of the following versions (or later):

• Ivanti Sentry 10.5.2
• Ivanti Sentry 10.6.2
• Ivanti Sentry 10.7.1

In addition to patching, security teams should monitor their Ivanti Sentry logs for any suspicious activity on the /mics/api/v2/sentry/mics-config/handleMessage endpoint. Specifically, look for unusual XML payloads or signs of unauthorized command execution. Organizations should also ensure that their Sentry appliances are not exposed to the public internet unless absolutely necessary, and that they are protected by restrictive firewall rules or a VPN where possible.

The Critical Windows for Action

The rapid transition from vulnerability disclosure to its inclusion in the KEV catalog highlights the agility of modern threat actors. With a CISA-mandated deadline of June 14, federal agencies—and by extension, all responsible private organizations—have very little time to act. In many cases, these types of edge-gateway vulnerabilities are the first step in a larger ransomware campaign or state-sponsored espionage effort.

If you have not yet applied the June 9, 2026 security updates for Ivanti Sentry, do so immediately. Delaying this patch exposes your organization to unauthenticated root-level access that bypasses almost all traditional perimeter defenses.

Stay vigilant and keep your enterprise gateways secure.