The critical Ivanti Sentry flaw covered yesterday is now under active attack, with researchers reporting compromised gateways within about 24 hours of the patch and public patch analysis. CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that accepts commands from anyone who can reach it over the internet, granting remote code execution as root with no login. A second flaw, CVE-2026-10523, lets attackers create their own admin accounts. With exploitation confirmed and detection tooling public, the time to patch has effectively run out for internet-exposed appliances. Ivanti released fixes earlier this week.
Ivanti has patched two critical flaws in Sentry, its mobile gateway appliance (formerly MobileIron Sentry) that sits in line between mobile devices and back-end systems like Exchange. The worst, CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that mistakenly accepts commands from anyone who can reach it over the internet, with no login, granting remote code execution as root. The second, CVE-2026-10523 (9.9), is an authentication bypass that lets attackers create their own admin accounts. No exploitation has been seen yet, but watchTowr has already published a patch analysis and a detection script, so the window is closing fast.
A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.
Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.