Ivanti: Max severity Sentry flaw allows code execution as root

Security software company Ivanti has released patches to address two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges.

Formerly known as MobileIron Sentry, Ivanti Sentry is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.

Tracked as CVE-2026-10520, the maximum-severity vulnerability stems from an OS command injection weakness. The second Sentry security flaw patched on Tuesday (tracked as CVE-2026-10523) is a critical authentication bypass that can be exploited remotely by unauthenticated attackers to create rogue administrative accounts and gain full administrative access.

Ivanti patched both security issues on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.

Luckily, the company said it has no evidence that the two vulnerabilities are being exploited in the wild and advised admins to upgrade their systems to protect against potential attacks.