On June 9–10, 2026, Ivanti disclosed and patched two maximum-severity vulnerabilities in the Sentry appliance (formerly MobileIron Sentry): CVE-2026-10520 (OS command injection, CVSS 10.0) and CVE-2026-10523 (authentication bypass, CVSS 9.9). CVE-2026-10520 allows remote, unauthenticated attackers to execute arbitrary OS commands as root by exploiting the unprotected /mics/api/v2/sentry/mics-config/handleMessage API endpoint, while CVE-2026-10523 allows creation of rogue administrative accounts with full access.
The flaws affect all versions prior to R10.5.2, R10.6.2, and R10.7.1. Sentry is widely deployed in organizations requiring secure mobile access, placing corporate, healthcare, government, and finance sectors at particular risk. Upon disclosure, proof-of-concept (PoC) exploit code was quickly published and is now publicly available on GitHub, greatly elevating the threat of mass exploitation.
At the time of advisory release, there were no confirmed active attacks. However, by June 11, threat intelligence sources (e.g., Shadowserver) had observed the first active exploitation attempts, with evidence of internet-exposed Sentry gateways being backdoored. Both NVD and multiple CERTs across Europe and North America have provided urgent guidance to patch and monitor.
Given the trivial nature of exploitation, the presence of a public PoC, and rapid move to active exploitation, organizations must treat this as an emergency requiring immediate risk mitigation, patching, and threat hunting.
Recommendations
- IMMEDIATE PATCHING: Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 (or later) without delay. Out-of-band patching is strongly recommended, even outside standard maintenance windows.
- Restrict Access: Ensure Sentry’s management interfaces and the /mics/api/ endpoint are inaccessible from the internet and untrusted networks. Limit access strictly to administration subnets or jump hosts.
- Detection and Monitoring:
- Review HTTP logs for unauthenticated POST requests to /mics/api/v2/sentry/mics-config/handleMessage. A 200 response indicates likely vulnerability.
- Watch for creation of new or unexpected administrative accounts in Sentry.
- Monitor for suspicious system process creation, unauthorized scheduled tasks (cron jobs), and unusual outbound network activity from Sentry appliances.
- Incident Response Preparation:
- Prepare to isolate Sentry appliances if compromise is suspected.
- Plan for credential rotation and restoration from known good backups.
- Long-term Practices:
- Regularly review vendor advisories and subscribe to security feeds (NVD, CISA, vendor RSS).
- Proactively segment management and appliance networks.
- Integrate behavioral monitoring and anomaly detection on critical network gateways.
Temporary Workarounds
- Restrict Network Exposure: Use firewalls, reverse proxies, or ACLs to block inbound access to Sentry’s management ports and /mics/api/ endpoint from outside trusted networks.
- Enable IPS Protections: Deploy latest intrusion prevention rules for CVE-2026-10520 (e.g., Check Point, snort community rule via GitHub, or equivalent vendor).
- Behavioral Detection: Proactively watch for signs of exploitation: unusual POSTs to vulnerable endpoints, creation of new admin accounts, abnormal system processes.
- Limitations: These mitigations significantly reduce the attack surface but do not eliminate risk. Only a vendor-supplied patch to R10.5.2/10.6.2/10.7.1 or higher ensures complete remediation.
References
- https://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/
- https://nvd.nist.gov/vuln/detail/CVE-2026-10520
- https://nvd.nist.gov/vuln/detail/CVE-2026-10523
- https://noise.getoto.net/2026/06/10/cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry/
- https://cveplayground.com/blog/cve-2026-10520-ivanti-sentry-mics-api-unauthenticated-rce/
- https://socradar.io/blog/ivanti-sentrys-cve-2026-10520-rce/
- https://helpnetsecurity.com/2026/06/10/ivanti-sentry-cve-2026-10520-cve-2026-10523/
- https://advisories.checkpoint.com/defense/advisories/public/2026/cpai-2026-6697.html
- https://digital.nhs.uk/cyber-alerts/2026/cc-4795
- https://scworld.com/brief/ivanti-releases-patches-for-critical-sentry-vulnerabilities
- https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523?ref=labs.watchtowr.com
- https://vulmon.com/vulnerabilitydetails?qid=CVE-2026-10520
- https://incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-productos-ivanti-7
