~/blog/news/news-20260610-ivanti-sentry-rce $
Ivanti Sentry: patch the CVSS 10.0 unauth root RCE now
Two critical Ivanti Sentry flaws — an unauthenticated root RCE (CVE-2026-10520) and an auth-bypass that mints rogue admins (CVE-2026-10523) — are patched, and public patch analysis is already out.
If you run Ivanti Sentry (the gateway formerly known as MobileIron Sentry), this is a patch-now week. Ivanti shipped fixes on June 10 for two critical bugs:
CVE-2026-10520 is a CVSS 10.0 OS command-injection that lets an unauthenticated attacker run code as root. Per watchTowr’s analysis (cited by The Register), it lives in an exposed API running under Apache Tomcat, where crafted messages get parsed as MICS configuration commands and executed with root privileges. No credentials, whole box.
CVE-2026-10523 (CVSS 9.9) is an authentication bypass that lets a remote, unauthenticated attacker create their own admin accounts — instant top-level access.
The fixed releases are R10.5.2, R10.6.2 and R10.7.1. Ivanti says it’s “not aware of any customers being exploited… at the time of disclosure”.
WatchTowr has already published patch-analysis details, which tends to be the starting gun for exploit development against internet-facing appliances. We’ve watched this exact movie with VPN and gateway boxes all year.
Sentry sits between your back-end systems and remote mobile devices, which makes it an attractive pivot. Move to the fixed train now; if you can’t immediately, restrict who can reach the management API and watch your logs for unexpected admin-account creation.
comments
sign in with GitHub · markdown + reactions