Full Report
Ivanti security advisory (AV26-567)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Ivanti Sentry and Endpoint Manager Mobile (EPMM)
## CVE Details
- **CVE ID:** CVE-2026-6973, CVE-2026-10727, CVE-2026-10520, CVE-2026-10523
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** Varies by CVE (typically including Improper Authentication or Injection flaws)
## Affected Systems
- **Products:**
- Ivanti Sentry
- Ivanti Endpoint Manager Mobile (EPMM)
- **Versions:**
- **Ivanti Sentry:** 10.5.1, 10.6.1, 10.7.0 and all prior versions.
- **Ivanti EPMM:** 12.9.0, 12.8.0.2, 12.7.0.1 and all prior versions.
- **Configurations:** Systems exposed to the internet or untrusted networks are at the highest risk.
## Vulnerability Description
This advisory addresses several critical flaws across two major Ivanti product lines. While specific technical details are often restricted to prevent immediate mass exploitation, these vulnerabilities typically involve:
- **Authentication Bypass:** Allowing unauthorized actors to gain administrative access without credentials.
- **Remote Code Execution (RCE):** Enabling attackers to execute arbitrary commands at the system or application level.
- **Command Injection:** Resulting from improper sanitization of user-provided input.
## Exploitation
- **Status:** Publicly disclosed; check vendor portal for active "in the wild" exploitation status (Ivanti products are frequently targeted).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential access to sensitive mobile device management data)
- **Integrity:** High (Potential for unauthorized configuration changes)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Ivanti has released updated versions to address these flaws. Administrators should upgrade to the following or later:
- **Ivanti Sentry:** Upgrade to version 10.8.0 or the latest supported hotfix version.
- **Ivanti EPMM:** Upgrade to version 12.10.0 or the latest supported hotfix version.
### Workarounds
- Limit access to the management interface to trusted internal IP addresses only.
- Implement robust multi-factor authentication (MFA) where applicable.
- Note: Workarounds should only be used as temporary measures until patches can be applied.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins, unexpected outbound traffic from Sentry/EPMM appliances, and unauthorized changes to MDM policies.
- **Detection methods and tools:** Review system logs for unauthorized access attempts and verify file integrity on the appliance via Ivanti’s built-in integrity checker (if available for the specific product).
## References
- **Vendor Advisories:**
- hxxps[://]hub[.]ivanti[.]com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523
- hxxps[://]hub[.]ivanti[.]com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-6973-CVE-2026-10727
- hxxps[://]forums[.]ivanti[.]com/s/searchallcontent?language=en_US#tab=All&sortCriteria=date%20descending&f-sfkbknowledgearticletypec=Security%20Advisory
- **Source:**
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/ivanti-security-advisory-av26-567