Critical Ivanti Sentry Flaws Enable Root RCE and Admin Account Creation
Ivanti disclosed two severe vulnerabilities in Ivanti Sentry that allow remote compromise of exposed appliances. CVE-2026-10520 is an OS command injection flaw (CWE-78) that can let an unauthenticated attacker achieve root-level remote code execution, while CVE-2026-10523 is an authentication bypass (CWE-288) that can be used to create arbitrary administrative accounts and obtain full administrative access. Both issues affect Ivanti Sentry versions earlier than R10.5.2, R10.6.2, and R10.7.1.
The vulnerabilities carry severe impact ratings, with CVE-2026-10520 described as critical and CVE-2026-10523 as high severity, reflecting risks to confidentiality, integrity, and availability. Ivanti said the flaws were addressed in R10.5.2, R10.6.2, and R10.7.1, and published a security advisory covering both CVEs, making patching of affected Sentry deployments an immediate priority.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-10520 to KEV catalog
On 2026-06-11, CISA added Ivanti Sentry vulnerability CVE-2026-10520 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The notice directed Federal Civilian Executive Branch agencies to prioritize remediation under Binding Operational Directive 26-04 and assess whether systems were compromised before patching.
Shadowserver reports active exploitation of CVE-2026-10520
Shadowserver reported that attackers were actively exploiting Ivanti Sentry flaw CVE-2026-10520 after a public proof-of-concept became available. It said exploitation attempts surged and that many exposed Sentry gateways were likely already backdoored or compromised.
Ivanti advisory also covers two EPMM vulnerabilities
Ivanti's June 2026 advisory also described two Ivanti EPMM flaws, CVE-2026-6973 and CVE-2026-10727, involving Apache directive injection or command execution paths that require administrator authentication. The reference states CVE-2026-6973 was already listed in CISA KEV as actively exploited, while Ivanti said there was no known public exploitation of CVE-2026-10727 at disclosure.
watchTowr Labs publishes public PoC for Ivanti Sentry flaws
watchTowr Labs published technical analysis and a public proof-of-concept exploit for CVE-2026-10520 and CVE-2026-10523, lowering the barrier to exploitation of the Ivanti Sentry vulnerabilities. The report also noted Ivanti said it was not aware of customer exploitation at the time of disclosure.
Ivanti publishes Sentry advisory and fixed versions
Ivanti published a security advisory covering CVE-2026-10520 and CVE-2026-10523 and stated that fixes are available in Ivanti Sentry versions R10.5.2, R10.6.2, and R10.7.1. The advisory confirms affected versions are those prior to these releases.
Ivanti discloses CVE-2026-10523 authentication bypass in Sentry
On 2026-06-09, CVE-2026-10523 was disclosed as an authentication bypass in Ivanti Sentry affecting versions before R10.5.2, R10.6.2, and R10.7.1. A remote unauthenticated attacker could create arbitrary administrative accounts and gain full administrative access.
Ivanti records CVE-2026-10520 for Sentry command injection
On 2026-06-09, CVE-2026-10520 was recorded as an OS command injection vulnerability in Ivanti Sentry affecting versions before R10.5.2, R10.6.2, and R10.7.1. The flaw allows a remote unauthenticated attacker to achieve root-level remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
24 references tracked. Mallory keeps watching after this page renders.
Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523) - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceCISA orders feds to patch actively exploited Ivanti flaw by Sunday
bleepingcomputer.com
Open sourceCVE-2026-10520 Exploited: Ivanti Sentry Gateways Compromised Shortly After Patch Release
securityaffairs.com
Open sourceIvanti Command Injection Vulnerability Exploited in Attacks following PoC Release
cybersecuritynews.com
Open sourceGitHub - watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523 · GitHub
github.com
Open sourceSecurity Advisory Ivanti Sentry (CVE-2026-10520, CVE-2026-10523)
hub.ivanti.com
Open sourceCVE-2026-10520 - Ivanti Sentry OS Command Injection
cvefeed.io
Open sourceCVE-2026-10523 - Ivanti Sentry Authentication Bypass
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerabilities in Ivanti Endpoint Manager Including Remote Code Execution and SQL Injection
Ivanti Endpoint Manager has been found to contain a total of 13 security vulnerabilities, including high-severity remote code execution (RCE) and 11 SQL injection flaws. Security researchers disclosed that these vulnerabilities could allow attackers to compromise systems managed by Ivanti Endpoint Manager, a widely used enterprise IT management solution. Among the most critical issues is CVE-2025-9713, which enables remote, unauthenticated attackers to achieve code execution through a path traversal flaw, provided user interaction occurs. The CVSS score for this vulnerability is 8.8, indicating a high risk to organizations using affected versions. The vulnerabilities were publicly disclosed in mid-October 2025, prompting urgent attention from security teams. The SQL injection vulnerabilities could allow attackers to manipulate backend databases, potentially leading to data exfiltration or further compromise of the management infrastructure. The RCE flaw, in particular, poses a significant threat as it could be exploited remotely, increasing the attack surface for threat actors. Ivanti has not yet published a comprehensive list of affected product versions, but the risk profile suggests that a broad range of deployments may be impacted. Security advisories recommend immediate review of Ivanti Endpoint Manager deployments and the application of any available patches or mitigations. Organizations are urged to monitor for signs of exploitation and to implement network segmentation to limit potential lateral movement. The vulnerabilities highlight the ongoing risks associated with enterprise management platforms, which often have elevated privileges across corporate environments. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for skilled attackers. The disclosure underscores the importance of timely vulnerability management and the need for robust monitoring of critical IT infrastructure. Security teams should prioritize patching and consider additional controls such as application whitelisting and enhanced logging. The incident serves as a reminder of the potential impact of vulnerabilities in widely deployed enterprise software. Given the severity and nature of the flaws, organizations should treat this as a high-priority security event. The situation remains dynamic as further technical details and remediation guidance are expected from Ivanti and the security community.
Mar 21, 2026
Ivanti Patches RCE and Privilege Escalation Flaws in Secure Access Client and vTM
Ivanti released security updates for two enterprise products, fixing multiple vulnerabilities in **Ivanti Secure Access Client for Windows** and **Ivanti Virtual Traffic Manager (vTM)**. In Secure Access Client, version `22.8R6` addresses **CVE-2026-7431**, an incorrect permissions issue that could let a local authenticated user read or modify sensitive log data; **CVE-2026-7432**, a race condition that could allow local privilege escalation to `SYSTEM`; and **CVE-2026-8992`, an improper certificate validation flaw that could enable remote unauthenticated code execution. Ivanti said affected Secure Access Client versions are `22.8R5` and earlier and advised customers to upgrade to `22.8R6`. Ivanti also patched **CVE-2026-8051** in **Ivanti Virtual Traffic Manager**, a high-severity `CWE-78` OS command injection vulnerability with a CVSS score of `7.2` that could allow a remote authenticated administrator to achieve remote code execution. The flaw affects vTM `22.9r3` and earlier and is fixed in `22.9r4`. Ivanti said it was not aware of customer exploitation of any of the disclosed issues before publication and said the vulnerabilities were reported through its responsible disclosure program, crediting William Söderberg of Reversec for the vTM finding.
May 25, 2026
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Apr 24, 2026