Executive Summary
In June 2026, Ivanti disclosed two critical vulnerabilities in its Sentry secure mobile gateway: CVE-2026-10520, an OS command injection flaw allowing unauthenticated remote code execution with root privileges, and CVE-2026-10523, an authentication bypass enabling attackers to create administrative accounts. Both vulnerabilities were patched in Sentry versions R10.5.2, R10.6.2, and R10.7.1.
These vulnerabilities underscore the persistent targeting of Ivanti products by threat actors, highlighting the necessity for organizations to promptly apply security patches to mitigate potential exploitation risks.
Why This Matters Now
The disclosure of these critical vulnerabilities in Ivanti Sentry emphasizes the urgent need for organizations to update their systems to prevent potential exploitation, especially given the historical targeting of Ivanti products by cyber attackers.
Attack Path Analysis
An unauthenticated attacker exploits an OS command injection vulnerability in Ivanti Sentry to execute code with root privileges. The attacker creates a rogue administrative account to escalate privileges. Using the compromised Sentry device, the attacker moves laterally to access internal corporate systems. The attacker establishes a command and control channel to maintain persistent access. Sensitive data is exfiltrated from internal systems through the compromised Sentry device. The attacker disrupts operations by modifying or deleting critical data.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploits an OS command injection vulnerability in Ivanti Sentry to execute code with root privileges.
Related CVEs
CVE-2026-10520
CVSS 10An OS Command Injection vulnerability in Ivanti Sentry before versions R10.5.2, R10.6.2, and R10.7.1 allows a remote unauthenticated user to achieve root-level remote code execution.
Affected Products:
Ivanti Sentry – < R10.5.2, < R10.6.2, < R10.7.1
Exploit Status:
no public exploitCVE-2026-10523
CVSS 9.9An Authentication Bypass vulnerability in Ivanti Sentry before versions R10.5.2, R10.6.2, and R10.7.1 allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.
Affected Products:
Ivanti Sentry – < R10.5.2, < R10.6.2, < R10.7.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Valid Accounts
Local Accounts
Cloud Accounts
Default Accounts
Domain Accounts
Application Accounts
Service Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure through Ivanti Sentry mobile gateways enabling root-level remote code execution, compromising secure government communications and classified data access controls.
Financial Services
Maximum severity authentication bypass and command injection vulnerabilities threaten mobile banking security, regulatory compliance, and customer financial data protection systems.
Health Care / Life Sciences
Ivanti Sentry flaws enable unauthorized administrative access to mobile health systems, violating HIPAA encryption requirements and compromising patient data security.
Defense/Space
Root-level code execution capabilities through mobile gateway vulnerabilities pose national security risks to defense communications and classified military information systems.
Sources
- Ivanti: Max severity Sentry flaw allows code execution as roothttps://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/Verified
- NVD - CVE-2026-10520https://nvd.nist.gov/vuln/detail/CVE-2026-10520Verified
- NVD - CVE-2026-10523https://nvd.nist.gov/vuln/detail/CVE-2026-10523Verified
- Security Advisory: Ivanti Sentry CVE-2026-10520, CVE-2026-10523https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_USVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial exploitation, it would likely limit the attacker's ability to leverage the compromised device to access other systems.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to use the rogue account to access sensitive systems.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally within the network.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish and maintain command and control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data.
While Aviatrix Zero Trust CNSF may not prevent data modification or deletion, it would likely limit the attacker's ability to propagate such actions across multiple systems.
Impact at a Glance
Affected Business Functions
- Secure Mobile Gateway Operations
- Remote Access Management
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive corporate data due to unauthorized administrative access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between devices and internal systems.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Cloud Firewall (ACF) to control and monitor outbound traffic from internal systems.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities.
- • Regularly update and patch systems to mitigate known vulnerabilities.
