Ivanti Sentry Exploitation Attempts Hitting Honeypots

The US Cybersecurity and Infrastructure Security Agency (CISA) flagged a recently patched Ivanti Sentry vulnerability as exploited, but Ivanti says the activity was observed only on honeypots.

Tracked as CVE-2026-10520 (CVSS score of 10/10), the security defect is described as an OS command injection issue that could be exploited remotely, without authentication, to execute arbitrary code with root privileges.

Ivanti rolled out patches for the flaw on June 10, saying it has no evidence of in-the-wild exploitation. Ivanti Sentry versions 10.5.2, 10.6.2, and 10.7.1 contain the fixes.

On Thursday, CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it within three days, in line with BOD 26-04 guidance to prioritize patching based on risk.

“This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors,” CISA notes.