Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ivanti (4 articles)Clear

Critical Ivanti Sentry flaw now exploited within a day of disclosure

The critical Ivanti Sentry flaw covered yesterday is now under active attack, with researchers reporting compromised gateways within about 24 hours of the patch and public patch analysis. CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that accepts commands from anyone who can reach it over the internet, granting remote code execution as root with no login. A second flaw, CVE-2026-10523, lets attackers create their own admin accounts. With exploitation confirmed and detection tooling public, the time to patch has effectively run out for internet-exposed appliances. Ivanti released fixes earlier this week.

Check
Treat any unpatched, internet-facing Ivanti Sentry as potentially compromised: review appliances for rogue administrator accounts, unexpected root commands, and connections from unfamiliar IPs before and after patching.
Affected
Internet-exposed Ivanti Sentry (formerly MobileIron Sentry) 10.5.1, 10.6.1, 10.7.0 and earlier, now actively exploited via CVE-2026-10520 (root RCE) and CVE-2026-10523 (admin auth bypass).
Fix
Patch to R10.5.2, R10.6.2, or R10.7.1 immediately if not already done, then perform incident response: rebuild compromised appliances, remove rogue accounts, and rotate connected credentials and secrets.

Critical Ivanti Sentry flaw gives unauthenticated attackers root

Ivanti has patched two critical flaws in Sentry, its mobile gateway appliance (formerly MobileIron Sentry) that sits in line between mobile devices and back-end systems like Exchange. The worst, CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that mistakenly accepts commands from anyone who can reach it over the internet, with no login, granting remote code execution as root. The second, CVE-2026-10523 (9.9), is an authentication bypass that lets attackers create their own admin accounts. No exploitation has been seen yet, but watchTowr has already published a patch analysis and a detection script, so the window is closing fast.

Check
Identify Ivanti Sentry appliances and their version, restrict who can reach the management and configuration endpoints, and run watchTowr's detection script to confirm whether instances are vulnerable.
Affected
Ivanti Sentry (formerly MobileIron Sentry) versions 10.5.1, 10.6.1, 10.7.0 and earlier, exposed to untrusted networks (CVE-2026-10520 root RCE; CVE-2026-10523 admin-account auth bypass).
Fix
Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately, then review appliances for rogue administrator accounts and any signs of command execution before patching.

Critical patches from Ivanti, Fortinet, SAP, VMware Fusion, and n8n - RCE, SQL injection, prototype pollution

A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.

Check
Pull the installed-version list for FortiAuthenticator, FortiSandbox/Cloud/PaaS, SAP S/4HANA, SAP Commerce, Ivanti Xtraction, VMware Fusion, and self-hosted n8n. Compare against the fixed versions in action_solution.
Affected
FortiAuthenticator before 6.5.7/6.6.9/8.0.3; FortiSandbox before 4.4.9/5.0.2; SAP S/4HANA, SAP Commerce, Ivanti Xtraction before 2026.2; VMware Fusion before 26H1; n8n before 1.123.32/2.17.4/2.18.1.
Fix
Upgrade FortiAuthenticator to 6.5.7/6.6.9/8.0.3, FortiSandbox to 4.4.9/5.0.2, Ivanti Xtraction to 2026.2, VMware Fusion to 26H1, and n8n to 1.123.32/2.17.4/2.18.1. Apply SAP's May notes for CVE-2026-34260 and CVE-2026-34263.

Ivanti EPMM zero-day actively exploited - attackers are getting admin-level RCE on mobile device management servers (CVE-2026-6973)

Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.

Check
Inventory Ivanti EPMM (formerly MobileIron Core) instances and check whether any are internet-reachable. Hunt EPMM admin logs for unusual admin actions, new admin accounts, or unfamiliar OAuth tokens issued since April.
Affected
Ivanti Endpoint Manager Mobile (EPMM) installations on versions before the May 6 patch. Acute risk for internet-reachable EPMM instances. The MDM context means a successful exploit can push tampered apps or profiles to every managed mobile device. Federal agencies under BOD 22-01 must patch by mid-May.
Fix
Upgrade Ivanti EPMM to the patched release per Ivanti's advisory. Restrict EPMM admin access to internal networks or VPN-only paths until patched. Rotate EPMM admin credentials and any API tokens issued for downstream integrations (SCEP, certificate authorities, identity providers). Audit managed mobile devices for unfamiliar configuration profiles or VPN configurations pushed since April.