Ivanti released emergency security updates for its Sentry mobile gateway after finding two critical flaws that could let attackers take over affected systems. The bugs are CVE-2026-10520, a maximum-severity OS command injection issue that can enable remote code execution as root, and CVE-2026-10523, an authentication bypass that can let unauthenticated attackers create rogue admin accounts. Fixes are in Sentry versions R10.5.2, R10.6.2, and R10.7.1; Ivanti said it has no evidence of active exploitation at disclosure.
Why it matters: Organizations using Ivanti Sentry should update immediately because these bugs could hand an attacker full control of a gateway that sits between mobile devices and internal corporate systems. Even without confirmed in-the-wild abuse yet, Ivanti edge and management products have a strong history of rapid post-disclosure exploitation.
2026.06.10
99% relevant
This article reports the same Ivanti Sentry disclosure, adding patch urgency, affected fixed versions (10.5.2, 10.6.2, 10.7.1), and technical detail from watchTowr that CVE-2026-10520 involved an exposed Apache Tomcat API parsing attacker-controlled MICS configuration commands; it also reiterates CVE-2026-10523 as an unauthenticated admin-account creation flaw.
Ionut Arghire
2026.06.10
94% relevant
This article adds that Ivanti released Sentry 10.5.2, 10.6.2, and 10.7.1 to fix CVE-2026-10520 and CVE-2026-10523, and also notes related EPMM fixes (CVE-2026-6973 and CVE-2026-10727). It reiterates that CVE-2026-10520 is a remote unauthenticated OS command injection leading to root code execution and that CVE-2026-10523 is a remote unauthenticated authentication bypass allowing creation of administrator accounts, with Ivanti saying it has no evidence of active exploitation.
Sergiu Gatlan
2026.06.10
100% relevant
This article establishes a new tracked event: Ivanti's June 2026 disclosure and patching of CVE-2026-10520 and CVE-2026-10523 in Sentry, distinct from prior Ivanti EPMM and other zero-day stories.
← Back to all stories