• Category: Security
  • Status: confirmed
  • Sources: Ivanti advisory, Help Net Security, watchTowr PoC
  • Summary: Ivanti published a security advisory on 2026-06-09 for two critical vulnerabilities in Ivanti Sentry. CVE-2026-10520 (CVSS 10.0) is an OS command injection flaw in the admin API allowing a remote unauthenticated attacker to achieve root-level remote code execution; it affects Sentry 10.7.0 and earlier. CVE-2026-10523 (CVSS 9.9) is an authentication bypass allowing an unauthenticated attacker to create arbitrary administrative accounts on a vulnerable device. Both are fixed in Sentry 10.5.2, 10.6.2, and 10.7.1. Ivanti reported no known customer exploitation at time of disclosure; watchTowr published a working PoC exploit for CVE-2026-10520 on 2026-06-10.
  • Why it matters: A public PoC for unauthenticated root RCE makes exploitation imminent for unpatched Sentry deployments; update to fixed versions immediately or restrict external network access to the Sentry admin interface.
  • Follow-up: Watch for CISA KEV addition and active exploitation reports.

Send feedback on this story