U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14
Publish Date: 2026-06-12 14:49:00
Source Domain: securityaffairs.com
U.S. CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14
Pierluigi Paganini
June 12, 2026
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti Sentry flaw, tracked as CVE-2026-10520 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.
Ivanti Sentry is a secure gateway appliance that sits between an organization’s internal systems and mobile devices, helping companies manage and protect mobile access to corporate resources.
Threat actors have started exploiting the maximum-severity OS command injection flaw in Ivanti Sentry, that allows remote code execution with root privileges.
“An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution ” reads the advisory.
The vulnerability affects the secure mobile gateway used to protect communications between corporate systems and mobile devices. Although Ivanti initially reported no evidence of active attacks, researchers at Shadowserver found that many internet-exposed Sentry gateways had already been backdoored shortly after the security updates were released.
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today. We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to @NCA_KSA for the tip!). However, all remaining likely compromised too.” the Shadowserver Foundation posted on X. “While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched you are most likely compromised. Vuln…
