← All articles

Critical Ivanti Sentry flaw gives unauthenticated attackers root

Ivanti has patched two critical flaws in Sentry, its mobile gateway appliance (formerly MobileIron Sentry) that sits in line between mobile devices and back-end systems like Exchange. The worst, CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that mistakenly accepts commands from anyone who can reach it over the internet, with no login, granting remote code execution as root. The second, CVE-2026-10523 (9.9), is an authentication bypass that lets attackers create their own admin accounts. No exploitation has been seen yet, but watchTowr has already published a patch analysis and a detection script, so the window is closing fast.

Check
Identify Ivanti Sentry appliances and their version, restrict who can reach the management and configuration endpoints, and run watchTowr's detection script to confirm whether instances are vulnerable.
Affected
Ivanti Sentry (formerly MobileIron Sentry) versions 10.5.1, 10.6.1, 10.7.0 and earlier, exposed to untrusted networks (CVE-2026-10520 root RCE; CVE-2026-10523 admin-account auth bypass).
Fix
Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately, then review appliances for rogue administrator accounts and any signs of command execution before patching.