Critical Ivanti Sentry flaw now exploited within a day of disclosure
The critical Ivanti Sentry flaw covered yesterday is now under active attack, with researchers reporting compromised gateways within about 24 hours of the patch and public patch analysis. CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that accepts commands from anyone who can reach it over the internet, granting remote code execution as root with no login. A second flaw, CVE-2026-10523, lets attackers create their own admin accounts. With exploitation confirmed and detection tooling public, the time to patch has effectively run out for internet-exposed appliances. Ivanti released fixes earlier this week.
- Check
- Treat any unpatched, internet-facing Ivanti Sentry as potentially compromised: review appliances for rogue administrator accounts, unexpected root commands, and connections from unfamiliar IPs before and after patching.
- Affected
- Internet-exposed Ivanti Sentry (formerly MobileIron Sentry) 10.5.1, 10.6.1, 10.7.0 and earlier, now actively exploited via CVE-2026-10520 (root RCE) and CVE-2026-10523 (admin auth bypass).
- Fix
- Patch to R10.5.2, R10.6.2, or R10.7.1 immediately if not already done, then perform incident response: rebuild compromised appliances, remove rogue accounts, and rotate connected credentials and secrets.