Ivanti Sentry CVE-2026-10520 Is Exploited: Patch to R10.7.1 Now

CISA added CVE-2026-10520 in Ivanti Sentry to its Known Exploited Vulnerabilities catalog on June 11, 2026. The flaw is an OS command injection (CWE-78) that lets a remote, unauthenticated attacker run commands as root on the appliance. NVD scores it CVSS 10.0 (vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If you run an internet-reachable Sentry in an unmanaged state, treat this as an active compromise risk, not a future one.

Am I affected?

The vulnerability affects, in Ivanti’s words, “Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions” (formerly MobileIron Sentry). Fixed builds are R10.5.2, R10.6.2, and R10.7.1.

The exploitable condition matters. Per Ivanti and CISA, the flaw can be exploited when the Sentry appliance is in an unmanaged state with its endpoints externally reachable. Deployments that use mTLS with EPMM, or restricted HTTPS access through Neurons for MDM, keep the affected interfaces inaccessible to external actors. So two questions decide your exposure:

1. Is the Sentry management or service interface reachable from the public internet?
2. Is the appliance in an unmanaged state rather than fronted by mTLS or restricted HTTPS?

If both are true, you are in the exploitable configuration. Ivanti’s advisory also lists CVE-2026-10523; only CVE-2026-10520 is on KEV as of this writing.

What to do now

1. Patch first. Upgrade to R10.5.2, R10.6.2, or R10.7.1 on the branch you run. This is the only durable fix. The federal remediation due date is June 14, 2026, which is a useful deadline for any organization, not just agencies.
2. If you cannot patch within hours, cut external reachability. Remove the Sentry interfaces from public internet exposure, or put them behind the configurations Ivanti names as protective: mTLS with EPMM, or restricted HTTPS access through Neurons for MDM. The honest cost: this can break external device check-in flows, so validate against your enrollment paths before you flip it.
3. Assume nothing about pre-patch exposure. For an unauthenticated root RCE on an internet-facing appliance, any time it was reachable before patching is time it could have been hit. After patching, review the appliance for unexpected processes, new accounts, and outbound connections, and follow CISA’s forensic triage guidance referenced in the KEV required action.

How it is being exploited

CISA’s KEV listing is the confirmation of active exploitation. The catalog records CVE-2026-10520 with a date added of June 11, 2026 and a remediation due date of June 14, 2026. Known ransomware campaign use is listed as “Unknown” at this time. We have not seen primary-source indicators of compromise published yet, so we are not reproducing any. EPSS for this CVE is 3.3% (87th percentile) as of June 11, 2026, which is expected to move as more data arrives on a fresh, actively exploited flaw. We will update this post as vendor or CERT telemetry adds detail.

How VulnMonitor helps

VulnMonitor keeps a live inventory of what you run, so the first question above answers itself: you already know whether any Sentry instance is on an affected build, and whether it is exposed. When a CVE lands on KEV, VulnMonitor reconciles it against that inventory and ranks it by KEV status and EPSS, so an unauthenticated root RCE like this one surfaces at the top of your queue within the hour rather than in next week’s scan. It does not stop the attack itself, so the patch above is still the action that closes the risk.

Updates

• 2026-06-12, 03:00 UTC Initial post. CVE-2026-10520 added to CISA KEV on June 11, 2026. CVSS 10.0, EPSS 3.3% (87th percentile). Fixed in R10.5.2, R10.6.2, R10.7.1.