Max-Severity Ivanti Sentry Flaw Exploited Within 24 Hours

Attackers Exploit Critical Ivanti Sentry Bug a Day After Disclosure

A maximum-severity flaw in Ivanti Sentry was being exploited in the wild within a day of becoming public, with attackers leaning on a freely available proof-of-concept to break in. Tracked as CVE-2026-10520, the OS command injection vulnerability carries a perfect CVSS score of 10 and lets an unauthenticated, remote attacker run code with root privileges. It affects Ivanti Sentry releases before R10.5.2, R10.6.2 and R10.7.1.

Ivanti revealed the bug on Tuesday alongside a second Sentry issue, CVE-2026-10523, an authentication bypass rated 9.9. The vendor's advisory initially noted that neither flaw was known to be under attack, but that quickly proved outdated for CVE-2026-10520. Security firm WatchTowr published a technical breakdown and a working proof-of-concept exploit, and Rapid7 followed with its own warning that the weakness was simple to weaponize, urging affected organizations to patch immediately before in-the-wild attacks took hold.

Honeypots Hit With No Reconnaissance

The exploitation Rapid7 anticipated arrived almost at once. The Shadowserver Foundation reported on Mastodon that it was seeing heavy volumes of CVE-2026-10520 exploitation attempts built on the public PoC, identifying 19 vulnerable instances, at least two of which had already been backdoored. The group cautioned that its visibility was limited because some Sentry appliances were unreachable in its scans, and that unpatched systems were probably already compromised. Defused recorded similar activity; founder and CEO Simo Kohonen told Dark Reading that attacks had run nearly nonstop since the WatchTowr PoC dropped.

Kohonen flagged one detail as especially telling: the exploit was fired straight at Defused's Ivanti honeypots without any prior fingerprinting or probing. To him, that indicates whoever moved first had already charted Ivanti's exposed assets and was positioned to strike the moment the vulnerability details went public.

Ivanti Sentry, previously sold as MobileIron Sentry, is a component of the company's Unified Endpoint Management platform that acts as an in-line gateway connecting mobile devices to enterprise systems, setting up on-demand, app-specific VPNs for services like email while encrypting traffic. Because the appliance often occupies a sensitive chokepoint for mobile and device access, SOCRadar warned that root-level control could expose configurations, stored credentials and linked authentication or directory connections, and let attackers weaken defenses or pivot deeper into a network. The campaign adds to a long run of attacks on Ivanti products by both criminal and nation-state groups, following the widespread exploitation in April of CVE-2026-1340, a critical flaw in Ivanti Endpoint Manager Mobile.