Ivanti Patches Critical Sentry Flaws Allowing Root-Level RCE

Executive Summary

Ivanti has issued an urgent warning to customers regarding two critical vulnerabilities in its Ivanti Sentry product, a key component for mobile device management security. The most critical of these, CVE-2026-10520, is an OS command injection flaw that can be exploited by a remote, unauthenticated attacker to gain root-level control over the appliance. A second vulnerability, CVE-2026-10523, allows an attacker to bypass authentication and create new administrator accounts. Although Ivanti reports no active exploitation, security firm WatchTowr has publicly released technical details and a vulnerability scanner for CVE-2026-10520. This disclosure dramatically shortens the window for defenders to act before exploits are developed and deployed. A compromised Sentry appliance provides a gateway to backend corporate resources, including email and internal applications, making these vulnerabilities an immediate and critical threat.

Vulnerability Details

CVE-2026-10520: This is a critical OS command injection vulnerability. Researchers at WatchTowr discovered that a specific API endpoint intended for internal configuration was exposed to the internet without requiring authentication. An attacker can send specially crafted commands to this endpoint, which are then executed on the underlying operating system with root privileges. This provides a direct path to full system compromise.
CVE-2026-10523: This is an authentication bypass vulnerability. While fewer technical details are available, it reportedly allows an attacker to create new administrative accounts on the Sentry device. This could be used to establish persistence or as a stepping stone to further exploit the system.

Chaining these two vulnerabilities could allow an attacker to gain full control, create persistent access, and then use the Sentry appliance's trusted position to pivot into the internal network.

Affected Systems

The vulnerabilities affect the following versions of Ivanti Sentry (formerly MobileIron Sentry):

Versions 10.5.1 and prior
Versions 10.6.1 and prior
Versions 10.7.0 and prior

Ivanti has released patched versions 10.5.2, 10.6.2, and 10.7.1 to address these issues.

Exploitation Status

As of June 10, 2026, Ivanti has stated there is no evidence of these vulnerabilities being exploited in the wild. However, the public release of technical analysis and a scanning tool by WatchTowr makes exploitation highly likely in the near future. Threat actors are known to actively target vulnerabilities in edge devices like Ivanti products, often within hours or days of public disclosure.

Impact Assessment

The impact of exploiting these vulnerabilities is severe. The Ivanti Sentry appliance functions as a critical security gateway, mediating access between mobile devices (smartphones, tablets) and a company's backend resources like Microsoft Exchange Server and other internal applications. A successful attacker could:

Intercept and decrypt sensitive traffic passing through the appliance.
Steal session tokens, credentials, and other sensitive data.
Gain a foothold on the internal network to launch further attacks (lateral movement).
Disrupt mobile device connectivity, impacting business operations.
Deploy ransomware or other malware into the corporate network.

Given its role as a trusted intermediary, a compromised Sentry device is a catastrophic security failure.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

URL Pattern

Value

/mifs/services/config/

Description

Look for inbound web requests to this API path from external, untrusted IP addresses. This is the vulnerable endpoint for CVE-2026-10520.

Type

Log Source

Value

Ivanti Sentry System Logs

Description

Monitor for the creation of new administrative accounts by unknown sources, which could indicate exploitation of CVE-2026-10523.

Type

Process Name

Value

bash, sh, nc, curl

Description

Look for suspicious child processes being spawned by the Sentry application's main process, which could indicate command injection.

Type

Network Traffic Pattern

Value

Outbound connections from the Sentry appliance to unknown external IP addresses.

Description

A compromised device may initiate a reverse shell or connect to a C2 server.

Detection Methods

Vulnerability Scanning: Use the publicly available scanner from WatchTowr or other vulnerability management tools to identify exposed and unpatched Ivanti Sentry appliances in your environment.
Log Analysis: Ingest web server access logs from Sentry appliances into a SIEM. Create alerts for any access to the /mifs/services/config/ path from external IP addresses. This leverages D3FEND's Web Session Activity Analysis (D3-WSAA).
Network Traffic Analysis: Monitor network traffic originating from your Sentry appliances. Baseline normal traffic patterns and alert on any anomalous outbound connections, especially on non-standard ports. This aligns with D3FEND's Outbound Traffic Filtering (D3-OTF).

Remediation Steps

Patch Immediately: The primary remediation is to upgrade all vulnerable Ivanti Sentry appliances to a patched version (10.5.2, 10.6.2, or 10.7.1) without delay. This is an application of D3FEND's Software Update (D3-SU).
Restrict Access: As a temporary mitigation or compensating control, ensure that the Sentry management interface is not exposed to the public internet. Restrict access to a trusted internal network or via a secure VPN connection with MFA. This is a form of D3FEND's Application Configuration Hardening (D3-ACH).
Hunt for Compromise: After patching, it is crucial to assume compromise and hunt for evidence of malicious activity. Review logs for signs of exploitation that may have occurred before the patch was applied. Look for newly created admin accounts, suspicious outbound connections, or unusual processes.

Ivanti Urges Immediate Patching for Critical Sentry Vulnerabilities (CVE-2026-10520, CVE-2026-10523) Enabling Root RCE