Attackers have begun actively exploiting CVE-2026-10520, a maximum-severity vulnerability in Ivanti Sentry secure mobile gateways. The flaw allows remote code execution with root privileges on Internet-facing devices, putting organizations at significant risk.
Formerly known as MobileIron Sentry, the Ivanti Sentry appliance secures traffic between back-end corporate systems and remote mobile devices. The vulnerability stems from an OS command injection weakness that was patched by Ivanti on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Vulnerability Background and Timeline
Tracked as CVE-2026-10520, the vulnerability allows attackers to execute arbitrary commands on the device with root privileges. Ivanti initially stated it had no evidence of in-the-wild exploitation when releasing the patches. However, Shadowserver, a nonprofit security organization, reported the next day that attackers had already backdoored most of the exposed Sentry gateways.
Shadowserver provided a stark assessment: "We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today. We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to Saudi NCA for the tip!). However, all remaining likely compromised too."
The organization warned: "While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised."
Scope of the Threat
The Internet security watchdog noted that its scans detected only a limited number of exposed Sentry instances, but additional devices are likely unreachable due to blocklisting. This means many vulnerable systems may not appear in standard scans, creating a hidden attack surface.
As of the report, Ivanti had not updated its security advisory, which still stated "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure." An Ivanti spokesperson was not immediately available for comment when BleepingComputer reached out.
Why Ivanti Flaws Are Targeted
Hackers frequently target Ivanti security flaws because they provide an entry point into enterprise networks, enabling the theft of sensitive customer and corporate data. The company has a history of vulnerabilities being exploited in attacks, including:
- Multiple Ivanti zero-days exploited in recent years to breach government agencies worldwide
- Two critical Endpoint Manager Mobile (EPMM) vulnerabilities addressed in January after being exploited as zero-days against a "very limited number of customers"
- A high-severity remote code execution EPMM flaw that CISA ordered U.S. federal agencies to patch within four days
See our analysis of Ivanti EPMM vulnerabilities for more on the company's security track record.
Historical Context and Prior Exploitation
Over the past several years, CISA has flagged 34 vulnerabilities across various Ivanti products as actively exploited in the wild. Twelve of these vulnerabilities were also targeted in ransomware attacks, highlighting the persistent threat posed by unpatched Ivanti appliances.
CISA's involvement underscores the severity of these vulnerabilities. The agency ordered federal agencies to patch Ivanti systems on their networks after warnings about active exploitation, demonstrating the real-world impact these flaws can have.
Learn more about CISA's most critical exploited vulnerabilities in our comprehensive guide.
Recommended Actions
Organizations running Ivanti Sentry appliances should:
- Immediately verify if devices are Internet-exposed
- Apply the patches from Sentry versions R10.5.2, R10.6.2, or R10.7.1
- Check for signs of compromise if patching cannot be completed immediately
- Consider air-gapping exposed devices until patches can be applied
- Review network logs for indicators of the exploit being used
See our patch management best practices guide for a framework to help security teams prioritize and deploy critical updates.
Ivanti maintains a network of over 7,000 partners and serves over 3,000 employees across more than 40,000 customers worldwide. The rapid escalation of this vulnerability from patch to active exploitation demonstrates the urgent need for organizations to maintain robust patch management practices.
