12 June 2026 Vulnerability

Ivanti Sentry CVE-2026-10520: A Perfect-Score Flaw Already Exploited

Ivanti Sentry, the enterprise mobile gateway deployed by thousands of organisations worldwide, carries two freshly disclosed critical vulnerabilities — CVE-2026-10520 (CVSS 10.0) and CVE-2026-10523 (CVSS 9.9) — that together give unauthenticated attackers root-level control. Proof-of-concept exploit code was published less than 24 hours after the patch, and Shadowserver has already confirmed backdoored instances. Australian organisations and their managed service providers running Ivanti Sentry need to act before the CISA-mandated 14 June 2026 deadline.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Two Critical Ivanti Sentry Flaws Disclosed — Exploitation Began Within 24 Hours

On 9 June 2026, Ivanti published a security advisory disclosing two critical vulnerabilities in Ivanti Sentry, its enterprise mobile gateway product. The first, CVE-2026-10520, carries a perfect CVSS score of 10.0 — the maximum possible rating — and allows a remote, unauthenticated attacker to execute arbitrary operating system commands with root-level privileges. The second, CVE-2026-10523 (CVSS 9.9), enables an unauthenticated attacker to create arbitrary administrative accounts on the affected device, providing full administrative control without any existing credentials.

Both vulnerabilities affect Ivanti Sentry versions 10.5.1, 10.6.1, and 10.7.0 and earlier. Ivanti has released fixed versions 10.5.2, 10.6.2, and 10.7.1. Organisations should identify which branch they are running and apply the corresponding patch immediately.

The situation deteriorated rapidly after the initial disclosure. On 10 June 2026 — less than 24 hours after Ivanti issued the patch — security research firm watchTowr published a detailed technical analysis of CVE-2026-10520 that included a working proof-of-concept exploit. BleepingComputer reported that attackers began weaponising the PoC almost immediately. The Shadowserver Foundation, which monitors internet-wide attack activity, reported observing exploitation attempts against internet-exposed Sentry gateways, with at least 19 vulnerable instances identified and two already confirmed as backdoored.

On 11 June 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-10520 to its Known Exploited Vulnerabilities (KEV) catalogue under Binding Operational Directive 26-04, mandating that US federal agencies patch by 14 June 2026 — a three-day remediation window that reflects the severity of active exploitation. CERT-EU also published security advisory 2026-008 covering both flaws.

Ivanti's own advisory initially stated that there was no evidence of in-the-wild exploitation at time of disclosure. That position was overtaken by events within hours. Australian cybersecurity outlet Cyber Daily described the speed of exploitation as a matter of expert concern, noting the vulnerability's perfect severity score and the public availability of working exploit code.

Why Australian Organisations and Their MSPs Should Treat This as a Priority

Ivanti Sentry — sold under its previous brand name MobileIron Sentry before Ivanti's acquisition — is an enterprise mobile gateway that acts as a proxy and enforcement point for mobile device management (MDM) traffic. It sits between an organisation's email and collaboration servers and its fleet of mobile devices, inspecting and brokering connections for services such as Exchange ActiveSync and corporate Wi-Fi. Organisations of all sizes, including Australian government agencies and managed service providers (MSPs), deploy Sentry to enforce security policies on managed mobile devices.

Ivanti has a substantial Australian presence — the company markets its platform specifically to Australian organisations seeking compliance with the Australian Signals Directorate's (ASD) ACSC Essential Eight framework. The Essential Eight is the baseline cybersecurity standard for Commonwealth government agencies and an increasingly common benchmark for private sector organisations in regulated industries. Ivanti's patching tools are promoted as a mechanism for achieving and maintaining Essential Eight Maturity Levels, which makes an unpatched critical vulnerability in Ivanti infrastructure particularly uncomfortable for organisations that position themselves as compliant.

For Australian SMBs, the most relevant concern is the MSP relationship. Many small businesses do not run their own mobile device management infrastructure — they rely on an MSP to manage their devices, corporate email, and remote access. If that MSP operates Ivanti Sentry as part of its service stack and has not yet applied the June 2026 patches, all of the MSP's downstream customers may be exposed. A compromised Sentry gateway can give an attacker access to the MDM platform managing corporate email profiles, Wi-Fi configurations, and application deployments across every managed device.

The broader pattern matters too. Ivanti products have attracted significant researcher attention throughout 2025 and 2026. CVE-2026-10520 is not an isolated incident — it follows a series of critical flaws in other Ivanti products including Connect Secure, Policy Secure, and Neurons for MDM. Each new disclosure reinforces the case for Australian organisations to conduct a current-state Ivanti asset inventory rather than assuming their deployment is up to date.

How the Vulnerabilities Work: The Technical Detail

CVE-2026-10520: Pre-Authentication OS Command Injection

CVE-2026-10520 is classified as a CWE-78 (Improper Neutralisation of Special Elements Used in an OS Command) vulnerability residing in the ConfigServiceController class within mics.war — the web application that runs Sentry's internal configuration service. The vulnerable endpoint is reachable via an unauthenticated HTTP POST request to:

/mics/api/v2/sentry/mics-config/handleMessage

The endpoint was designed to accept internal configuration commands, but it fails to enforce any authentication before processing those commands. An attacker who can reach this endpoint over the network can inject operating system commands that execute with root privileges on the underlying appliance. Rapid7's analysis confirms that either vulnerability is independently sufficient for a full device takeover.

One important caveat from the Ivanti advisory: exploitation of CVE-2026-10520 requires network access to the management port, which runs on port 8443 by default. Sentry deployments that restrict access to port 8443 via firewall or network segmentation reduce — but do not eliminate — exploitability, because CVE-2026-10523 operates on the standard HTTPS port and requires no management port access at all.

CVE-2026-10523: Unauthenticated Administrative Account Creation

The companion vulnerability, CVE-2026-10523 (CVSS 9.9), was credited to researcher Bryan Lam. It is an authentication bypass that allows an attacker with no valid credentials to create an administrative account on the Sentry appliance, granting full administrative control over the device's configuration. As with CVE-2026-10520, no prior authentication or network position is required beyond reaching the standard HTTPS interface.

The Combined Attack Chain

Used together, the two flaws form a complete, unauthenticated attack chain: an attacker first exploits CVE-2026-10523 to create a privileged administrative account, then uses that account — or alternatively CVE-2026-10520 directly — to execute operating system commands as root. The result is full control over the Sentry appliance, including the ability to install backdoors, capture MDM traffic, modify device management policies, or pivot to internal services that the Sentry gateway proxies.

Help Net Security reported that the watchTowr proof-of-concept confirmed the technical description in Ivanti's advisory, providing attackers with a ready-made starting point. Horizon3.ai also published independent attack research validating the pre-authentication exploit path.

What Australian Organisations Should Do Right Now

The remediation steps here are straightforward in principle, though the urgency is high. With active exploitation confirmed and the CISA-mandated deadline of 14 June 2026 already in the rearview mirror for some time zones, there is no safe window for delay.

1. Patch Immediately

Identify which version branch your Ivanti Sentry deployment runs and apply the corresponding patch:

Sentry 10.5.x → update to 10.5.2
Sentry 10.6.x → update to 10.6.2
Sentry 10.7.x → update to 10.7.1

If your Sentry deployment is running a version older than the 10.5 branch, Ivanti has not published a patch for that branch. Contact Ivanti support and consider whether continued operation of an end-of-life version is acceptable given active exploitation.

2. Restrict Management Port Access

While patching is underway, restrict access to port 8443 (the default management port) at the network level. This does not fully mitigate CVE-2026-10523 — which operates on the standard HTTPS port — but it raises the barrier for CVE-2026-10520 exploitation. If the management interface is not required to be internet-accessible, close it. It should only be reachable from trusted management networks or administrator workstations.

3. Check for Indicators of Compromise

Given the confirmation of backdoored instances, patching alone is insufficient for organisations that ran vulnerable versions in the window between 9 June and patch application. Review your Sentry appliance for:

Unexpected administrator accounts created around or after 9 June 2026
Unfamiliar scheduled tasks, cron jobs, or processes running as root
New or modified configuration files in the Sentry application directories
Outbound connections to unusual external IP addresses originating from the Sentry appliance

If you suspect compromise, treat the appliance as untrustworthy and consider a full rebuild from a known-good image rather than attempting to clean a potentially backdoored system.

4. Ask Your MSP

If you rely on a managed service provider for mobile device management or corporate email security, ask them directly: Do you run Ivanti Sentry? Have you applied the June 2026 patches for CVE-2026-10520 and CVE-2026-10523? A responsible MSP will be able to confirm patch status within hours. Under Australia's Cyber Security Act 2024 and the Notifiable Data Breaches scheme, a compromise of an MSP that results in a notifiable breach of your customer data could carry reporting obligations — even if the vulnerability was in the MSP's infrastructure, not yours.

Ivanti's Vulnerability Track Record and the Broader Problem with Network Appliances

CVE-2026-10520 is not an anomaly. Ivanti's product portfolio has generated a steady stream of critical vulnerability disclosures since at least 2024. Ivanti Connect Secure and Policy Secure, the company's VPN and network access control products, were subject to multiple zero-day advisories with active exploitation, including vulnerabilities that resulted in threat actors deploying web shells on compromised appliances before patches were even available. Each new critical Ivanti disclosure follows a similar pattern: vendor disclosure, rapid researcher analysis, public PoC, exploitation within days or hours, and a scramble to patch before the majority of exposed appliances are compromised.

This pattern is not unique to Ivanti. It is now standard for any vendor with a widely deployed network edge or gateway appliance. Palo Alto Networks (GlobalProtect), Fortinet (FortiGate), Cisco (IOS XE), and Citrix (Netscaler) have all experienced similar exploitation timelines in the past two years. The common thread is that these products sit at the network perimeter — they are internet-facing by design, which makes them attractive to attackers who want to establish a foothold without needing to phish an employee or compromise a workstation first.

For Australian organisations, the ACSC Essential Eight's "patch applications" control explicitly addresses this risk. Under Maturity Level 1, organisations are expected to patch internet-facing software within two weeks of a security patch being released when a vendor assessment is not available or rates the vulnerability as non-critical. Under Maturity Level 2, the expectation is 48 hours for critical vulnerabilities in internet-facing software. Given that CVE-2026-10520 received a CVSS score of 10.0 — the highest possible — any Australian organisation claiming Essential Eight Maturity Level 2 compliance should have this patched within 48 hours of Ivanti's 9 June advisory.

The harder structural question is how many Australian organisations have clear visibility over all the network appliances they operate or have delegated to MSPs. Shadow IT and MSP sprawl make it surprisingly common for an organisation to discover, only after a breach, that a gateway product was running in their environment without the security team's direct oversight. Conducting a periodic inventory of internet-exposed services — including those operated by third-party providers — is not glamorous work, but it is the kind of hygiene that separates organisations that learn about compromises from press releases from those that catch them in time.