Security
Ivanti Sentry CVE-2026-10520 backdoors confirmed; patch immediately
- Category: Security
- Status: confirmed
- Sources: Ivanti advisory, Help Net Security, Shadowserver telemetry
- Summary: CVE-2026-10520 (CVSS 10.0) is an unauthenticated root RCE via POST to
/mics/api/v2/sentry/mics-config/handleMessagein Ivanti Sentry. Active exploitation was confirmed by Shadowserver on 2026-06-11, less than 48 hours after the PoC was published. At least 19 vulnerable instances identified; 2 confirmed backdoored. Patched versions: 10.5.2, 10.6.2, 10.7.1. Ivanti states that unpatched systems should be treated as compromised. A second flaw, CVE-2026-10523 (CVSS 9.9, auth bypass), was also patched in the same release. - Why it matters: Ivanti gateways protecting enterprise mobile access are actively backdoored; any unpatched instance must be assumed compromised and treated as an incident, not just a patch task.