Ivanti is telling Sentry customers to patch immediately after disclosing two critical vulnerabilities, one rated a maximum 10.0 that hands remote attackers root-level code execution without any login. For the organizations that run Sentry as a mobile gateway, often holding sensitive employee and customer data, this is the kind of bug that turns a delayed patch cycle into a breach notification.
Ivanti has asked customers running its Sentry product to patch without delay after disclosing two critical vulnerabilities, one of which earned the rare and unwelcome distinction of a perfect 10.0 CVSS score.
Both flaws affect Ivanti Sentry, a mobile gateway that sits inside the company's wider unified endpoint management platform. In practice, Sentry acts as a checkpoint between mobile devices and corporate resources such as email, calendars, and internal applications. That position makes it an attractive target. A gateway that brokers access to sensitive data is exactly where an attacker wants a foothold.
What happened
The more severe of the two issues is tracked as CVE-2026-10520 and carries a maximum severity rating of 10.0. It allows a remote, unauthenticated attacker to execute code with root privileges. There is no higher-risk combination in vulnerability scoring. Remote means the attacker does not need to be inside your network. Unauthenticated means they do not need a username or password. Root privileges mean that once they are in, they own the machine.
According to security firm watchTowr, the vulnerability stemmed from an exposed API running under Apache Tomcat. An attacker could send the API a specially crafted message, which the system parsed as a MICS configuration command and then executed through the backend handler with root privileges. Ivanti's fix reportedly stopped the system from accepting the attacker-supplied string, replacing it with a single hard-coded command, and tightened the Apache configuration rules to block unauthenticated access to the affected endpoint.
Ivanti says no one has successfully exploited the flaw in the wild so far. That caveat tends to have a short shelf life. Public disclosure of a critical bug starts a countdown. Even though Ivanti gave little away in its advisory, outside researchers have already published technical breakdowns of the patch, and those breakdowns give attackers a map of how unpatched systems can still be reached.
The second flaw, CVE-2026-10523, is barely less alarming at 9.9. It is an authentication bypass that lets remote, unauthenticated attackers create administrator accounts and grant themselves the highest level of access on an affected system. An attacker exploiting this would not need to crack a password or steal credentials. They would simply mint their own admin login.
The fix
Ivanti is urging customers to address both flaws immediately. Patched releases are available in versions 10.5.2, 10.6.2, and 10.7.1. Organizations running Sentry should treat this as an emergency change rather than a routine maintenance item, given the severity scores and the public availability of patch analysis.
Why this matters beyond IT
For the people whose data passes through these gateways, the stakes are not abstract. Mobile management platforms handle the credentials, messages, and access tokens of an organization's workforce. A root-level compromise of a Sentry instance could expose employee data, provide a launch point into the rest of the corporate network, and put any customer information reachable from that network at risk.
Under regimes such as the EU's General Data Protection Regulation and the California Consumer Privacy Act, organizations carry a legal duty to implement appropriate technical measures to protect personal data. Applying vendor security patches in a timely manner falls squarely within that expectation. A company breached through a vulnerability that had a fix available for weeks may find regulators unsympathetic. GDPR's Article 32 obligations on security of processing, and the breach notification clock under Article 33, both come into sharper focus once a critical patch is public and unapplied.
A familiar pattern
This is not the first time Ivanti customers have had to scramble this year. In January, the company patched two separate critical vulnerabilities in its Endpoint Manager Mobile product, both rated 9.8 and both exploited as zero-days before fixes arrived. The fallout reached the public sector. The Dutch data protection authority, the body responsible for enforcing privacy law in the Netherlands, reported itself to parliament after attackers breached it during those pre-patch exploits. When the regulator tasked with holding others accountable for data security ends up disclosing its own breach, it underscores how widely these gateway products are deployed and how exposed they can leave an organization.
The recurring theme across these incidents is timing. Attackers move quickly once a vulnerability is known, and defenders are often racing against published exploit research rather than the original advisory. For Sentry administrators, the practical takeaway is straightforward. Identify every Sentry instance in the environment, confirm its version, and move to a patched release now. Anything reachable from the internet should be the first priority, because an unauthenticated, remote, root-level flaw is precisely the kind of door that scanning tools find within hours of disclosure.
For everyone downstream of these systems, the employees and customers whose data sits behind the gateway, the best protection remains an organization that patches fast and treats a 10.0 as the genuine emergency it is.
Comments
Please log in or register to join the discussion