Ivanti Sentry max severity flaw actively exploited

▼ Summary
– Attackers are exploiting a recently patched maximum-severity OS command injection flaw (CVE-2026-10520) in Ivanti Sentry gateways to execute code with root privileges.
– Ivanti released patches on Tuesday with Sentry versions R10.5.2, R10.6.2, and R10.7.1, initially stating no evidence of exploitation.
– The Shadowserver nonprofit reported the next day that most exposed Sentry gateways were already backdoored, despite Ivanti’s statement.
– Shadowserver detected 19 vulnerable instances in its scans, with at least two backdoored, but noted its search engine is blocklisted, so more may exist.
– Hackers frequently target Ivanti flaws to breach enterprise networks, as seen in past zero-day attacks on government agencies and ransomware incidents.
Attackers have begun actively exploiting a recently patched, maximum-severity vulnerability in Ivanti Sentry, a security gateway appliance designed to protect mobile connections to corporate networks. The flaw allows remote attackers to execute arbitrary code with root privileges on internet-facing devices.
Formerly known as MobileIron Sentry, the Ivanti Sentry appliance acts as a secure bridge between backend enterprise systems and remote mobile devices, making it a critical component for organizations with mobile workforces.
The vulnerability, identified as CVE-2026-10520, is an OS command injection flaw that carries the highest possible severity rating. Ivanti released patches on Tuesday with versions R10.5.2, R10.6.2, and R10.7.1. At the time, the company stated it had no evidence of active exploitation in the wild.
However, within 24 hours, the Shadowserver Foundation, a nonprofit internet security organization, reported that attackers had already compromised most of the exposed Sentry gateways it could detect. Shadowserver noted that its scans only identify a small number of vulnerable instances because its search engine is often blocklisted by these devices.
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today,” Shadowserver warned. “We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to Saudi NCA for the tip!). However, all remaining likely compromised too.” The organization added a stark warning: “While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised.”
Ivanti has not yet updated its original security advisory, which still reads: “We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.” A company spokesperson did not immediately respond to requests for comment.
This pattern of exploitation is not new. Cybercriminals frequently target Ivanti products because they serve as gateways into enterprise networks, offering opportunities to steal sensitive customer and corporate data. Over the past few years, multiple Ivanti zero-days have been exploited against government agencies and private-sector targets worldwide. In January, for example, Ivanti patched two critical Endpoint Manager Mobile (EPMM) vulnerabilities that had been used in zero-day attacks against a limited number of customers.
The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has also been active, ordering federal agencies last month to patch a high-severity remote code execution flaw in EPMM that was being exploited in the wild. Since 2020, CISA has flagged 34 Ivanti vulnerabilities as actively exploited, with 12 of those also linked to ransomware attacks.
Ivanti’s reach is extensive, with a network of over 7,000 partners and more than 3,000 employees. Its IT asset management solutions serve over 40,000 customers globally. For organizations using Ivanti Sentry, the message from security researchers is clear: apply the patch immediately, as any delay likely means compromise.
(Source: BleepingComputer)




