Situation
Ivanti has disclosed a second critical vulnerability in its Sentry mobile device management gateway that chains with a previously patched flaw to deliver complete unauthenticated control of the appliance. CVE-2026-10523 (CVSS 9.9, authentication bypass) and CVE-2026-10520 (CVSS 10.0, pre-authentication RCE) together form an attack chain requiring no credentials at any stage. Sentry acts as the policy enforcement gateway for mobile device access to corporate email and application infrastructure — its compromise exposes the boundary between mobile endpoints and internal systems.
The critical operational risk: organisations that responded to CVE-2026-10520’s initial disclosure and deployed Sentry 9.18.2 may have stood down their incident response posture believing the remediation was complete. CVE-2026-10523 affects a separate code path not addressed by 9.18.2. Sentry 9.19.0 is required to close both vulnerabilities.
Business Impact
Ivanti Sentry sits between the internet and internal Exchange, ActiveSync, and application gateway infrastructure. A compromised Sentry instance enables an attacker to:
- Bypass mobile device compliance enforcement — allowing unmanaged or non-compliant devices to access corporate email
- Intercept and manipulate ActiveSync communications in transit through the gateway
- Pivot to internal Exchange and corporate application systems from the Sentry management plane
- Modify enrolled device policy configurations across all MDM-managed mobile devices
- Extract Sentry configuration including internal LDAP/Active Directory connection credentials
The threat is undetected by conventional EDR tooling, as exploitation targets the network appliance layer rather than managed endpoints.
Required Actions
Immediate (within 24 hours):
- Upgrade Ivanti Sentry to version 9.19.0 — this is the minimum version addressing both CVEs
- If 9.18.2 was deployed for CVE-2026-10520, this is not sufficient — 9.19.0 must be applied
- Confirm the Sentry management interface is accessible only from authorised management network segments and not from internet-routable addresses
Short-term (within 72 hours):
- Review Sentry audit logs for authentication anomalies in the 14 days preceding this advisory — focus on requests to the management API from unexpected source addresses
- Validate that enrolled mobile device policy configurations have not been modified — export and compare against a known-good baseline
- Brief the MDM and mobile security team on potential policy integrity risk; escalate any discrepancies
Medium-term (within 2 weeks):
- Rotate Sentry LDAP/AD connector credentials and any service account credentials stored in Sentry configuration
- Review and harden Sentry network segmentation — management interface should have no inbound access from internet or DMZ segments
- Maintain elevated monitoring of Ivanti product advisories for 30 days; Ivanti has a pattern of disclosing companion vulnerabilities in rapid succession following initial disclosure
Indicators of Compromise
Ivanti has not released specific IOCs. Monitor for:
- Unexpected authentication events in Sentry audit logs, particularly from external IP addresses
- ActiveSync policy changes or device compliance exemptions not initiated by IT staff
- Outbound connections from Sentry to external IP addresses not matching Ivanti’s update infrastructure
- New administrator accounts created in Sentry user management
Compliance Note
Ivanti Sentry is deployed in regulated sectors including healthcare (HIPAA-covered mobile device management) and financial services (SOX-relevant mobile email infrastructure). A compromised Sentry gateway that has been exposing unencrypted ActiveSync traffic may constitute a reportable data breach under applicable regulatory frameworks. Engage legal and compliance counsel to assess breach notification obligations if exploitation is suspected.