Threat actors are actively exploiting a critical command injection vulnerability in Ivanti Sentry, designated as CVE-2026-10520, shortly after the public release of a proof-of-concept (PoC) exploit. This flaw, with a maximum CVSS score of 10.0, enables remote, unauthenticated attackers to execute code with root privileges on affected Ivanti Sentry appliances.
According to Cybersecurity News, Ivanti addressed this vulnerability, along with CVE-2026-10523, in a security advisory issued on June 9, 2026. The vulnerabilities impact Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0, and earlier. Patched versions 10.5.2, 10.6.2, and 10.7.1 have been released to mitigate these issues.
Despite Ivanti’s initial statement of no known active exploitation at the time of disclosure, real-world attacks commenced rapidly following the PoC release. The Shadowserver Foundation reported a significant increase in exploitation attempts, identifying at least 19 vulnerable Sentry instances during their scans. Notably, two of these systems were confirmed to be backdoored, indicating successful compromises.
Shadowserver emphasized the urgency of patching, stating, “If you have not patched, you are most likely compromised.” They also noted that the actual number of affected systems is likely higher, as some instances may be inaccessible to external scans due to filtering or network restrictions.
Given the critical nature of this vulnerability and the swift exploitation by threat actors, organizations utilizing Ivanti Sentry are strongly advised to upgrade to the patched versions immediately. Ivanti has provided updated installation images and upgrade packages through its customer download portal. Additionally, security teams should conduct thorough assessments for potential compromises, including checks for unauthorized access, suspicious processes, and persistence mechanisms, especially on internet-exposed appliances.
This incident underscores the importance of prompt patching and proactive security measures. The rapid transition from vulnerability disclosure to active exploitation highlights the need for organizations to stay vigilant and responsive to emerging threats, particularly those targeting critical infrastructure components.
Source: Cybersecurity News
