Ivanti shipped fixes for two critical bugs in its Sentry mobile gateway, including a CVSS 10.0 command injection flaw that hands unauthenticated attackers root-level code execution. No active exploitation yet, but Ivanti's track record means the patch window is short.
Ivanti has patched two critical vulnerabilities in its Sentry secure mobile gateway, and one of them carries the worst possible severity rating. Tracked as CVE-2026-10520, the flaw is an OS command injection weakness that lets a remote attacker run code with root privileges. There is no higher-impact outcome on a gateway appliance than that.
The second bug, CVE-2026-10523, is a critical authentication bypass. An unauthenticated attacker can use it remotely to create rogue administrative accounts and walk away with full admin control of the appliance. Chained with the command injection flaw, the two give an attacker a clean path from outside the network to root on a system that sits directly between corporate back-end systems and remote mobile devices.
Ivanti, the company behind the product (the Sentry product page has the current details), formerly sold this gateway as MobileIron Sentry. It brokers and secures traffic for managed mobile fleets, which is exactly why a root-level compromise matters so much. A gateway that terminates and inspects mobile traffic is a high-value pivot point.
What's affected and how to fix it
The patched releases are Sentry R10.5.2, R10.6.2, and R10.7.1. Ivanti published the fixes on Tuesday and is steering administrators toward an immediate upgrade. The full advisory lives on the Ivanti security forums, which is where the company posts its CVE writeups and version guidance.
For now, the news is relatively calm. "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure," Ivanti said. "Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise." That is the good case: a disclosure ahead of any observed attacks, with patches already available.
The practical reading, though, is that the absence of indicators of compromise cuts both ways. If you cannot rely on IOCs to tell you whether you have already been hit, then patching speed becomes your primary control. There is no detection signature to lean on yet, so the defensive posture has to be "close the hole before anyone writes the exploit."
Why this one deserves urgency
Ivanti products have a difficult recent history, and that context is the reason security teams should not treat this as a routine patch cycle. Edge and gateway appliances from the vendor have repeatedly become favored targets, because a single working exploit often yields direct access to enterprise networks and the sensitive data behind them.
The pattern shows up again and again. In May, the Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch their Ivanti devices after the company warned of a high-severity remote code execution flaw in Endpoint Manager Mobile that attackers had already exploited as a zero-day. Earlier in the year, Ivanti addressed two other critical EPMM vulnerabilities that had been used as zero-days against a small set of customers. Multiple Ivanti zero-days over the past few years have been turned against government agencies and large organizations worldwide.
That history is the analyst's argument for moving fast here. A maximum-severity, unauthenticated, root-level command injection in an internet-facing Ivanti appliance fits the exact profile that has drawn attackers before. The window between public disclosure and a working exploit for this class of bug tends to be measured in days, not months. Researchers and attackers alike know where to look, and an authentication bypass paired with command injection is an unusually attractive combination to reverse-engineer from a patch.
Practical takeaways for defenders
If you run Sentry, the immediate steps are straightforward. Inventory every Sentry instance, including appliances that were stood up years ago under the MobileIron name and may have drifted out of your patch tracking. Upgrade to R10.5.2, R10.6.2, or R10.7.1 depending on your branch. Where an immediate upgrade is not possible, restrict management interface exposure and put the appliance behind tighter network controls until you can apply the fix.
Beyond the patch itself, treat this as a prompt to validate your detection coverage for gateway appliances. The harder problem in incidents like these is not the initial fix but knowing whether you were already touched during the quiet period before disclosure. Reviewing administrative account creation logs on Sentry is a reasonable place to start, given that CVE-2026-10523 specifically enables rogue admin accounts. Any unexplained administrative account is worth investigating, even with no published IOCs to match against.
For organizations weighing how much of their security stack actually catches this kind of activity, the broader lesson is about detection gaps on edge infrastructure. Gateways and mobile management appliances often sit in monitoring blind spots, logged but rarely alerted on, which is precisely how a post-exploitation foothold can persist unnoticed. Closing that gap means making sure your SIEM and EDR rules cover the appliances at your perimeter, not just the endpoints and servers inside it.
Ivanti says it has no evidence of exploitation today. The smart move is to make sure that statement stays true for your environment by patching before the situation changes.
Comments
Please log in or register to join the discussion