Attackers began hitting a maximum-severity flaw in Ivanti Sentry less than a day after it was disclosed, weaponizing a publicly released proof-of-concept to gain unauthenticated remote code execution as root. The bug, CVE-2026-10520, is an OS command injection issue carrying a CVSS score of 10 and affecting all Ivanti Sentry builds prior to R10.5.2, R10.6.2 and R10.7.1. Honeypot operators reported a near-continuous stream of exploit attempts that struck exposed appliances with no prior reconnaissance — a sign the operators had pre-mapped Ivanti's internet-facing assets and were ready to fire the instant details went public.
What was disclosed
Ivanti published its advisory on Tuesday, covering two Sentry vulnerabilities at once:
- CVE-2026-10520 — an OS command injection flaw rated CVSS 10 (maximum severity) that allows a remote, unauthenticated attacker to execute code with root privileges. It affects Ivanti Sentry releases before R10.5.2, R10.6.2 and R10.7.1.
- CVE-2026-10523 — an authentication bypass rated 9.9.
The vendor's advisory initially stated that neither issue was known to be exploited, but that assessment was overtaken almost immediately for CVE-2026-10520. Security firm WatchTowr put out a technical write-up alongside a working proof-of-concept, and Rapid7 issued its own alert warning that the bug was trivial to weaponize and urging organizations to patch before in-the-wild abuse began.
Ivanti Sentry — sold previously as MobileIron Sentry — is part of the company's Unified Endpoint Management suite. It functions as an in-line gateway between mobile devices and back-end enterprise systems, standing up on-demand, per-app VPN tunnels for services such as email while encrypting the traffic that passes through it.
Exploitation within 24 hours
The exploitation Rapid7 predicted materialized almost immediately. The Shadowserver Foundation said on Mastodon it was observing high volumes of CVE-2026-10520 attempts based on the public PoC, and it identified 19 vulnerable instances — at least two of which were already backdoored. Shadowserver cautioned that its visibility was incomplete because some Sentry appliances could not be reached during scanning, and warned that unpatched systems were likely already compromised.
Threat-intelligence outfit Defused logged comparable activity. Founder and CEO Simo Kohonen told Dark Reading that the attacks had run almost without pause since WatchTowr's PoC went live. Kohonen pointed to one telling characteristic: the exploit was sent directly at Defused's Ivanti honeypots with no fingerprinting or probing beforehand. That pattern, he said, suggests whoever struck first had already inventoried Ivanti's exposed assets and was poised to act the moment the vulnerability became known.
Because Sentry frequently sits at a sensitive chokepoint for mobile and device access, SOCRadar warned that root-level control of the appliance could expose stored configurations, credentials and linked authentication or directory integrations, while giving attackers the ability to disable defenses or pivot further into the network. The campaign extends a long history of attacks against Ivanti products by both criminal and nation-state actors, coming after the widespread April exploitation of CVE-2026-1340, a critical flaw in Ivanti Endpoint Manager Mobile.
Proof of concept
WatchTowr published a detection artifact generator on GitHub that confirms exploitability against both Sentry CVEs. The tool issues a command-execution check to the vulnerable endpoint /mics/api/v2/sentry/mics-config/handleMessage and returns the output of an attacker-supplied command:
$ python3 watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523.py --url https://127.0.0.1 --cmd "uname -a"
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523.py
(*) Ivanti Sentry Authentication Bypass and Remote Code Execution Detection Artifact Generator Tool
- Sonny , watchTowr (sonny@watchTowr.com)
CVEs: [CVE-2026-10520, CVE-2026-10523]
============================================================
Target: https://127.0.0.1
Command: uname -a
[+] Sending command execution check to: https://127.0.0.1/mics/api/v2/sentry/mics-config/handleMessage
[+] Target appears to be vulnerable.
Command output:
Linux 127.0.0.1 4.18.0-553.84.1.el8_10.x86_64 #1 SMP Mon Nov 17 12:53:24 PST 2025 x86_64 x86_64 x86_64 GNU/Linux
To run the check against your own appliance, invoke the generator with the target URL and a command to execute:
python3 watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523.py --url https://127.0.0.1 --cmd "uname -a"
A response of [+] Target appears to be vulnerable. together with the returned command output confirms the host is exposed. The same primitive that prints uname -a here is what attackers are using to plant backdoors, so any instance that responds positively should be treated as potentially compromised.
Detection and mitigation
- Patch immediately. Upgrade Ivanti Sentry to R10.5.2, R10.6.2 or R10.7.1 (or later) per the vendor advisory. All earlier releases are affected by CVE-2026-10520.
- Assume compromise on unpatched, internet-facing appliances. Shadowserver reported instances already backdoored within a day of disclosure, so patching alone is not sufficient — hunt for signs of intrusion.
- Validate exposure with the WatchTowr generator against the
/mics/api/v2/sentry/mics-config/handleMessageendpoint, and review logs for requests to that path. - Review what a root-level compromise would expose — Sentry-stored configurations, credentials, and linked authentication or directory connections — and rotate any secrets the appliance held.