Bottom line: The Sentry vulnerabilities CVE-2026-10523 and CVE-2026-10520 enable unauthenticated attackers to bypass authentication and achieve Remote Code Execution with root privileges, requiring immediate patching to versions 10.5.2, 10.6.2, or 10.7.1.
Ivanti has patched two security vulnerabilities in the Sentry mobile gateway appliance that enable unauthenticated attackers to gain complete control over deployments. Both vulnerabilities can be exploited remotely without authentication.
The first vulnerability, CVE-2026-10523 (CVSS 9.9), was discovered by researcher Bryan Lam and allows attackers to bypass authentication and create arbitrary admin accounts on the appliances. The second flaw, CVE-2026-10520, is a command injection bug that leads to Remote Code Execution with root privileges on the underlying operating system and is rated with the maximum CVSS score of 10.
Ivanti Sentry functions as an in-line gateway between mobile devices and backend enterprise servers such as Microsoft Exchange and is typically deployed at the network perimeter, making the appliance accessible from the Internet. A compromise would have immediate impacts on the confidentiality, integrity, and availability of all mobile access and data transit between clients and enterprise infrastructure.
Both vulnerabilities were reported confidentially through Ivanti’s disclosure program. To date, no publicly exploited attacks have been documented. However, security researchers from the firm watchTowr have already published a detailed analysis of CVE-2026-10520 and provided a Python script that organizations can use to test their deployments for vulnerability. This makes the vulnerability straightforward to exploit, increasing the risk.
CISOs should apply patches on versions 10.5.2, 10.6.2, or 10.7.1 as quickly as possible. Given Ivanti’s product history and their exposure at the Internet edge – where state-sponsored cyber espionage groups have already been active – this should become a priority.
Source: www.csoonline.com · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.