← CIO Briefings · Critical Impact ACTION REQUIRED

CIO Brief: Ivanti Sentry CVE-2026-10520 (CVSS 10.0) — Mobile Management Gateway Actively Under Attack

Ivanti Sentry carries a CVSS 10.0 pre-authentication remote code execution vulnerability being actively exploited in the wild. Ivanti Sentry is deployed as an internet-facing mobile device management gateway — any organisation using Sentry for mobile email and application access is exposed. Upgrade to Sentry 9.19.1 immediately.

2 min read

Situation

Ivanti has disclosed CVE-2026-10520, a CVSS 10.0 (maximum severity) pre-authentication OS command injection in Ivanti Sentry — the enterprise mobile device management gateway. Active exploitation has been confirmed by CISA, which added the vulnerability to the Known Exploited Vulnerabilities catalogue on 10 June.

A companion vulnerability, CVE-2026-10523 (CVSS 9.4), allows the same result with a low-privilege API token.

Ivanti Sentry is internet-facing by design — it provides mobile devices with access to enterprise email and applications when outside the corporate network. Every unpatched Sentry instance is directly exploitable from the internet with no authentication.

Business Impact

Successful exploitation of CVE-2026-10520 gives an attacker SYSTEM-level access to the Sentry appliance, which serves as a gateway to:

  • Corporate email access: All mobile email traffic passes through Sentry — Exchange, Microsoft 365 credentials and mail content are accessible
  • Internal application access: Sentry proxies access to internal web applications and resources for mobile workers
  • MDM data: Device inventory, user-to-device mappings, corporate application certificates, and MDM configuration are stored on the Sentry appliance
  • Network foothold: The Sentry appliance sits at the perimeter — OS access provides a network pivot point into the enterprise

This is a high-impact breach path. A compromised Sentry manages the mobile access channel for the entire mobile workforce.

PriorityActionTimeline
IMMEDIATEUpgrade Ivanti Sentry to version 9.19.1Within 24 hours
IMMEDIATERestrict administrative interface access to management IP rangesSame day (interim)
URGENTReview Sentry logs for exploitation indicators (unexpected API calls, unusual outbound connections)Within 48 hours
URGENTRotate any credentials stored in Sentry configuration if exploitation cannot be ruled outWithin 48 hours
STANDARDReview all Ivanti product advisories — this is the third critical Ivanti CVE in 12 monthsOngoing

Executive Summary

Any organisation running Ivanti Sentry for mobile access should treat CVE-2026-10520 as an active incident response situation until the patch is applied and compromise review is complete. The CVSS 10.0 score and confirmed active exploitation mean that unpatched Sentry instances are being compromised now. The pattern of critical vulnerabilities in Ivanti products over 2024–2026 warrants a strategic review of Ivanti’s role in the mobile access architecture.