IT software provider Ivanti fixed two vulnerabilities in Ivanti Sentry, a secure mobile gateway appliance formerly called MobileIron Sentry. The flaws could allow unauthenticated remote attackers to gain complete control of deployments.
One of the vulnerabilities, CVE-2026-10523, credited to researcher Bryan Lam, allows attackers to bypass authentication and create arbitrary administrative accounts on appliances. The flaw is rated with a severity of 9.9 out of 10 on the CVSS scale.
The second flaw, CVE-2026-10520, is a command injection issue that can lead to remote code execution with root privileges on the underlying OS. Because the vulnerability can be exploited remotely without authentication, it is rated with the maximum CVSS severity score of 10.
Ivanti Sentry is an in-line gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise servers such as Microsoft Exchange. It works together with Ivanti Endpoint Manager Mobile (EPMM) to enforce access restrictions and device verification. As such, the appliance is typically deployed at the enterprise network edge and is accessible from the internet.
Both vulnerabilities were reported privately through Ivanti’s responsible disclosure program, and the company is not aware of public exploitation at this time. But attackers, including state-sponsored cyberespionage groups, have exploited vulnerabilities in Ivanti products and network-edge appliances many times in the past.
Furthermore, researchers from security firm watchTowr have posted a detailed analysis of CVE-2026-10520 and the exploit is trivial to execute. The researchers released a Python script that enables organizations to test whether their deployments are vulnerable.
Ivanti Sentry customers are advised to upgrade their deployments to versions 10.5.2, 10.6.2, or 10.7.1 as soon as possible.
No Responses