CVE-2026-10520: Ivanti Sentry OS Command Injection Vulnerability
Summary
A critical OS command injection vulnerability, CVE-2026-10520, has been identified in Ivanti Sentry. This flaw allows unauthenticated remote attackers to achieve root-level code execution, particularly when the Sentry appliance is unmanaged and its endpoints are externally reachable. Mitigations are required, with a federal due date of June 14, 2026.
IFF Assessment
This vulnerability allows for root-level remote code execution, posing a significant threat to defenders.
Severity
The vulnerability allows for unauthenticated remote code execution with root privileges, indicating a critical impact and high exploitability. The CVSS score of 9.8 reflects the potential for widespread compromise.
CISA KEV: Listed as actively exploited. Federal patch due: June 14, 2026. Known ransomware use: Unknown.
Defender Context
Defenders need to prioritize patching or implementing mitigations for Ivanti Sentry due to this critical vulnerability. The ability for remote, unauthenticated root-level code execution makes this a high-priority target for attackers. Organizations should review their Ivanti Sentry deployments, assess external exposure, and apply vendor-provided solutions or consider discontinuing use if mitigations are not feasible.