Ivanti has released urgent security updates for two critical vulnerabilities affecting Ivanti Sentry, a product commonly used as a secure gateway between external mobile devices and internal corporate systems.
The two flaws, tracked as CVE-2026-10520 and CVE-2026-10523, are serious because they could allow an attacker to take control of a vulnerable Ivanti Sentry appliance without needing valid login credentials. Ivanti has advised customers to apply the available fixes as soon as possible.
At the time of disclosure, there was no public indication that these vulnerabilities were being actively exploited in real-world attacks. However, the situation is still concerning because researchers have already published technical analysis for one of the flaws, meaning attackers may be able to study the details and build their own working exploit.
Ivanti Sentry is not a normal internal application tucked away safely behind layers of corporate security. In many environments, it sits close to the edge of the network because its job is to manage secure access between mobile devices and company resources.
In simple terms, Ivanti Sentry acts like a security checkpoint. It helps control how mobile devices outside the corporate network connect to internal services such as:
• Corporate email systems
• Internal business applications
• Mobile device management platforms
• Authentication and session-based services
Because of this role, Ivanti Sentry is often reachable from the internet. Many organizations deploy it in a separate or isolated network zone to reduce the risk of attackers moving deeper into the internal network. However, even with that separation, a compromise of Sentry can still be highly damaging.
What Could Happen If Sentry Is Compromised?
The biggest risk is not only that attackers gain access to the Sentry server itself. The bigger concern is what the appliance can expose.
If attackers successfully compromise Ivanti Sentry, they may be able to access sensitive information such as credentials, session tokens, and authentication data. With that information, they could potentially impersonate legitimate users and gain access to corporate email or internal applications.
That is what makes vulnerabilities in gateway products especially dangerous. These systems are designed to protect access, but when they are compromised, they can become a shortcut into the very environments they were meant to secure.
The Two Critical Vulnerabilities
Ivanti fixed two critical flaws in this update.
The first issue, CVE-2026-10520, is an operating system command injection vulnerability. This is the more alarming of the two because it can allow a remote, unauthenticated attacker to execute commands on the affected appliance with root-level privileges.
In practical terms, that means an attacker may not need a username, password, or existing foothold. If the vulnerable system is exposed and reachable, the attacker could potentially execute commands at the highest privilege level.
The second flaw, CVE-2026-10523, is an authentication bypass vulnerability. This issue could allow an attacker to create administrator accounts on a vulnerable Ivanti Sentry device. Once an attacker has administrative access, they may be able to change configuration, maintain persistence, or use the appliance to access other connected services.
What Researchers Found
Security researchers from WatchTowr analyzed both a vulnerable and patched version of Ivanti Sentry to understand what had changed.
Their analysis found that CVE-2026-10520 appears to involve an API intended for internal configuration commands. The problem is that the vulnerable implementation allowed commands to be accepted from anyone who could reach the interface over the internet, without requiring authentication first.
That kind of exposure is dangerous because it turns what should be an internal administrative function into a remotely accessible attack path.
Even if exploit code is not widely available yet, detailed technical write-ups can accelerate attacker activity. Once researchers explain the vulnerable behavior clearly, threat actors often begin scanning for exposed systems and attempting to reproduce the attack.
Affected Versions and Fixed Releases
The vulnerabilities affect the following Ivanti Sentry versions:
• Ivanti Sentry 10.5.1 and earlier
• Ivanti Sentry 10.6.1 and earlier
• Ivanti Sentry 10.7.0 and earlier
Ivanti has fixed the issues in these versions:
• Ivanti Sentry 10.5.2
• Ivanti Sentry 10.6.2
• Ivanti Sentry 10.7.1
Organizations using Ivanti Sentry should check their current version immediately and upgrade to the appropriate fixed release.
Organizations Should Check Their Exposure
Patching should be the first priority, but organizations should also review whether their Ivanti Sentry appliance is exposed to the internet.
Security teams should confirm:
• Which Ivanti Sentry version is currently running
• Whether the appliance is internet-facing
• Whether access is restricted only to trusted networks
• Whether suspicious administrator accounts have been created
• Whether logs show unusual API activity or unexpected configuration changes
• Whether credentials or session tokens may have been exposed
WatchTowr has also released a script that defenders can use to check whether their environment appears vulnerable. This can help security teams quickly identify exposure, but it should not replace patching.
Not the Only Ivanti Security Concern
Alongside the Ivanti Sentry fixes, Ivanti has also released patches for two high-severity vulnerabilities in Ivanti Endpoint Manager Mobile, also known as EPMM.
EPMM vulnerabilities have historically attracted attacker interest, and flaws in Ivanti products have been exploited in previous campaigns. For Ivanti Sentry specifically, one known example is CVE-2023-38035, an authentication bypass vulnerability that was exploited as a zero-day in 2023.
That history matters because attackers often pay close attention to security products that sit at the network edge. These systems are valuable targets because they are exposed, trusted, and connected to sensitive internal services.
Why Immediate Patching Is Important
Even though there is currently no confirmed active exploitation of these two new Sentry vulnerabilities, organizations should not treat this as a low-risk issue.
The combination of internet exposure, unauthenticated access, root-level command execution, and published technical details creates a narrow window for defenders to act before attackers begin scanning more aggressively.
For organizations using Ivanti Sentry, this should be treated as an urgent patching task rather than a routine update.
The safest approach is simple: identify affected systems, apply the fixed version, restrict exposure wherever possible, and review the appliance for any signs of suspicious activity.
Comments