The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Ivanti Sentry vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2026-10520, carries a maximum severity rating with a CVSS score of 10.0.
Ivanti Sentry is a secure gateway platform designed to manage and protect communication between mobile devices and enterprise systems. Because it serves as a central access point for mobile connectivity, it holds a highly sensitive position within organizational networks.
The identified vulnerability is an operating system command injection flaw that allows remote attackers to execute arbitrary commands on affected systems with root-level privileges. Notably, the attack can be carried out without authentication, significantly increasing its risk profile.
According to official guidance, all versions of Ivanti Sentry prior to R10.5.2, R10.6.2, and R10.7.1 are impacted. An unauthenticated attacker can exploit this weakness to gain full system control by injecting malicious commands into the platform.
While Ivanti initially reported no evidence of exploitation, independent researchers have observed otherwise. Threat intelligence findings indicate that attackers quickly began scanning for exposed systems following disclosure and patch release. In several cases, internet-facing Ivanti Sentry appliances were found to be compromised and implanted with backdoors shortly after updates became available.
Security researchers have also reported widespread attempts to exploit the vulnerability using publicly available proof-of-concept (PoC) code. Although only a limited number of vulnerable systems have been directly observed in scans, experts warn that actual exposure is likely higher due to accessibility limitations in scanning environments. As a result, organizations that have not yet patched their systems are strongly advised to assume compromise.
At the time of reporting, Ivanti has not formally confirmed active exploitation in its advisory, but the evidence gathered by researchers strongly suggests ongoing attack activity. Ivanti products have historically been a high-priority target for threat actors because successful exploitation can provide direct entry into enterprise networks, enabling lateral movement, data exfiltration, and long-term persistence.
The risk is further amplified by the role Ivanti Sentry plays within enterprise architectures. As a gateway between external mobile devices and internal corporate resources, a compromised Sentry instance effectively grants attackers access inside the trusted network perimeter, bypassing many traditional security controls.
Under Binding Operational Directive (BOD) 22-01, which mandates remediation of known exploited vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are required to address this issue within the specified timeframe to reduce exposure to active threats.
Security professionals also urge private-sector organizations to regularly review updates to the KEV catalog and promptly apply patches or mitigations to affected systems.
CISA has set a firm deadline of June 14, 2026, for federal agencies to remediate this vulnerability.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
