• Category: Security
  • Status: confirmed
  • Sources: Ivanti advisory, Help Net Security, Shadowserver telemetry
  • Summary: CVE-2026-10520 (CVSS 10.0) is an unauthenticated root RCE via POST to /mics/api/v2/sentry/mics-config/handleMessage in Ivanti Sentry. Active exploitation was confirmed by Shadowserver on 2026-06-11, less than 48 hours after the PoC was published. At least 19 vulnerable instances identified; 2 confirmed backdoored. Patched versions: 10.5.2, 10.6.2, 10.7.1. Ivanti states that unpatched systems should be treated as compromised. A second flaw, CVE-2026-10523 (CVSS 9.9, auth bypass), was also patched in the same release.
  • Why it matters: Ivanti gateways protecting enterprise mobile access are actively backdoored; any unpatched instance must be assumed compromised and treated as an incident, not just a patch task.

Send feedback on this story