Max-Severity Ivanti Sentry Flaw Exploited Within 24 Hours

Initial methods suggest attackers had likely mapped out Ivanti's asset landscape upfront and acted quickly once the exploit became public.

June 11, 2026

Threat actors pounced on a critical Ivanti Sentry vulnerability within 24 hours of its disclosure, using a public proof-of-concept (PoC) exploit in attacks.

Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1. The vulnerability, which received a maximum severity CVSS score of 10, enables an unauthenticated attacker to remotely execute code with root privileges.

Ivanti disclosed the flaw along with another Sentry vulnerability, CVE-2026-10523, an authentication bypass flaw with a 9.9 CVSS score. In its security advisory, Ivanti initially said it was unaware of either flaw being exploited in the wild. But the situation apparently changed very quickly for CVE-2026-10520.