Ivanti patches critical Sentry flaws that lead to full device takeover
Summary
Ivanti has released patches for two critical vulnerabilities in its Ivanti Sentry product, formerly MobileIron Sentry. These flaws could allow unauthenticated attackers to gain complete control of affected devices. One vulnerability allows for authentication bypass and arbitrary account creation, while the other enables remote code execution with root privileges.
IFF Assessment
These vulnerabilities allow for critical system compromise, posing a significant threat to organizations relying on Ivanti Sentry for mobile device management.
Severity
CVE-2026-10520 is a command injection vulnerability leading to remote code execution with root privileges, exploitable without authentication, thus receiving the maximum CVSS score of 10.0.
Defender Context
Defenders should prioritize patching Ivanti Sentry deployments immediately to mitigate the risk of full device takeover. Given the history of Ivanti products being targeted by advanced persistent threats, rapid patching is crucial.