CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-10520

CVSS 10.0v3.1pub. 2026-06-09upd. 2026-06-12

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

🤖 AI Analysis
How it works

The vulnerability consists of improper sanitization of input data passed to system calls (CWE-78 — OS Command Injection). An attacker can craft an appropriate network request and inject malicious system commands that will be executed by the server without requiring any credentials. The attack scope extends beyond the application context itself (scope changed), which means the ability to impact other system components.

Impact

An attacker gains remote code execution (RCE) with root privileges on the vulnerable device, which means complete system takeover, access to sensitive data, ability to modify configuration, and potential use of the server as a launch point for further attacks on the internal network.

Mitigation & patch

Ivanti Sentry must be immediately updated to version R10.5.2, R10.6.2, or R10.7.1 (depending on the branch in use). Detailed instructions are available in the official security bulletin from the vendor at the address indicated in the references. Until the patch is deployed, it is recommended to restrict network access to Ivanti Sentry management interfaces only to trusted IP addresses.

Who is affected

Ivanti Sentry in all versions prior to R10.5.2, R10.6.2, and R10.7.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Ivanti Standalone Sentry

    APP
    Ivanti
    10.7.0< 10.5.210.6.0 – 10.6.2 (bez)

CISA KEV — detailsi

Vendori
Ivanti
Producti
Sentry
Added to KEVi
June 11, 2026
Remediation deadline (US Federal)i
June 14, 2026(overdue)
Required action (CISA)i

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA descriptioni

Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 14 czerwca 2026
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2026-10523CRITICAL9.9PL ✓ten sam produkt

Authentication Bypass w Ivanti Sentry — tworzenie kont admina bez uwierzytelnienia

CVE-2024-8540HIGH8.8ten sam produkt

Insecure permissions in Ivanti Sentry before versions 9.20.2 and 10.0.2 or 10.1.0 allow a local authenticated ...

CVE-2023-41724HIGH8.8ten sam produkt

A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to exec...

CVE-2026-1281CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Krytyczny code injection w Ivanti Endpoint Manager Mobile (RCE bez uwierzytelnienia)

CVE-2026-1340CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Code injection w Ivanti EPMM umożliwiający nieuwierzytelniony RCE

CVE-2026-10520 — Ivanti — Standalone Sentry — CRITICAL — CVSS 10.0 | CVEbaza.pl