A maximum severity flaw in Ivanti Sentry, the in line gateway that brokers traffic between mobile devices and back end enterprise systems, is now being exploited in the wild after a working exploit went public. On June 11, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation, just two days after Ivanti disclosed it.
The headline issue, tracked as CVE-2026-10520, is an OS command injection vulnerability that carries the highest possible severity score of 10.0. It lets a remote, unauthenticated attacker run arbitrary commands as root, meaning full control of the appliance with no login required. A second flaw, CVE-2026-10523 (severity 9.9), is an authentication bypass that lets an attacker create their own administrator accounts and seize the management interface.
What is affected
Ivanti Sentry, formerly known as MobileIron Sentry, sits at the edge of corporate networks and handles encrypted mobile traffic, which makes a compromised appliance a valuable foothold for an intruder. Affected versions include Sentry 10.7.0 and below, 10.6.1 and below, and 10.5.1 and below. Ivanti has shipped fixed builds in 10.7.1, 10.6.2, and 10.5.2.
How the attack works
According to a technical analysis published by researchers at watchTowr, the flaw lives in an unauthenticated endpoint at /mics/api/v2/sentry/mics-config/handleMessage. The endpoint accepts an attacker supplied message that it parses as an internal configuration command, and that parsing ends in arbitrary OS command execution as root. watchTowr's write up shipped with a proof of concept exploit, and researchers at Rapid7 warned that the trivial nature of exploitation combined with a public PoC made in the wild attacks likely. CISA's listing confirms that prediction has now come true. You can read the original Rapid7 report for full technical detail.
What you should do
Patch on an emergency basis, outside normal cycles. Ivanti's fixed releases remediate both bugs, and Rapid7 recommends updating affected appliances immediately. Because the product has appeared on CISA's catalog twice before (for CVE-2023-38035 and CVE-2020-15505), defenders should also hunt for signs of prior compromise rather than assume patching alone is enough. Inventory any internet facing Sentry appliance and confirm it is running a fixed build. Sentry is not the only edge appliance added to CISA's catalog this week; a Check Point VPN zero day, CVE-2026-50751, is also under active exploitation.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.