Full Report
Ivanti has patched two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges. [...]
Analysis Summary
# Vulnerability: Critical Ivanti Sentry OS Command Injection and Auth Bypass
## CVE Details
- **CVE ID:** CVE-2026-10520 (OS Command Injection), CVE-2026-10523 (Authentication Bypass)
- **CVSS Score:** 10.0 (Maximum Severity for CVE-2026-10520)
- **CWE:** CWE-78 (OS Command Injection), CWE-288 (Authentication Bypass)
## Affected Systems
- **Products:** Ivanti Sentry (formerly MobileIron Sentry) Secure Mobile Gateway.
- **Versions:** All versions prior to R10.5.2, R10.6.2, and R10.7.1.
- **Configurations:** Systems exposed to the network/internet; specifically those acting as gateways between mobile devices and back-end corporate systems.
## Vulnerability Description
- **CVE-2026-10520:** An OS command injection vulnerability that allows a remote attacker to execute arbitrary commands on the underlying operating system with **root privileges**. This flaw stems from improper validation of user-supplied input.
- **CVE-2026-10523:** A critical authentication bypass vulnerability. Unauthenticated remote attackers can exploit this flaw to create unauthorized administrative accounts, granting them full control over the Ivanti Sentry appliance.
## Exploitation
- **Status:** Not exploited in the wild (at time of report); no public PoC currently available.
- **Complexity:** Low (Remote exploitation).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full access to traffic and corporate data).
- **Integrity:** High (Ability to modify gateway configurations and create admin accounts).
- **Availability:** High (Ability to execute root-level commands and shut down services).
## Remediation
### Patches
Ivanti has released the following security updates to address these flaws:
- **Sentry R10.5.2**
- **Sentry R10.6.2**
- **Sentry R10.7.1**
### Workarounds
No specific workarounds have been provided by the vendor. Immediate patching is the recommended course of action due to the root-level access granted by these vulnerabilities.
## Detection
- **Indicators of Compromise:** Currently, there are no known public IoCs.
- **Detection Methods:**
- Admins should audit administrative account lists for unauthorized or "rogue" accounts (associated with CVE-2026-10523).
- Monitor system logs for unusual OS-level command execution or unauthorized access to the management interface.
## References
- Ivanti Security Advisory: hXXps[://]www[.]ivanti[.]com/blog/topics/security-advisory
- BleepingComputer Article: hXXps[://]www[.]bleepingcomputer[.]com/news/security/ivanti-max-severity-sentry-flaw-allows-code-execution-as-root/
- NVD CVE-2026-10520: hXXps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-10520
- NVD CVE-2026-10523: hXXps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-10523