Ivanti disclosed two critical vulnerabilities in Sentry — an enterprise mobile gateway deployed across corporate environments to manage and encrypt traffic between mobile devices and back-end infrastructure — with active exploitation confirmed the same day the flaws became public. CVE-2026-10520, rated CVSS 10.0, allows a remote unauthenticated attacker to execute arbitrary commands with root privileges on the device. A companion flaw, CVE-2026-10523, enables persistent administrative access by allowing attackers to create new admin accounts on a compromised device.
The Shadowserver Foundation observed mass exploitation attempts and confirmed at least two of the nineteen Ivanti Sentry instances it tracked had been backdoored within hours of the vulnerability disclosure. WatchTowr, which discovered CVE-2026-10520, released a proof-of-concept exploit alongside its technical analysis on the same day Ivanti published its advisory.
CVE-2026-10520: Unauthenticated Root Access via Sentry’s Exposed Internal API
CVE-2026-10520 is an OS command injection flaw in an unauthenticated API endpoint on Ivanti Sentry. No credentials are required to reach the endpoint. A successful exploit delivers root-level code execution on the Sentry appliance — full control over the device and all traffic it handles. Ivanti Sentry sits inline between corporate mobile devices and back-end systems including Microsoft Exchange, managing, encrypting, and routing enterprise mobile communications. An attacker with root access to a Sentry device can intercept, read, and potentially manipulate every mobile email message and enterprise data payload passing through it.
Affected versions are Sentry 10.5.1, 10.6.1, and 10.7.0 and all earlier releases. Fixed versions are 10.5.2, 10.6.2, and 10.7.1. The WatchTowr proof-of-concept published on disclosure day provided a complete exploitation path, and Shadowserver’s observation of mass attempts indicates threat actors moved immediately.
How CVE-2026-10523 Lets Attackers Retain Admin Access After the RCE Is Patched
CVE-2026-10523 is an authentication bypass flaw that allows attackers to create administrative accounts on a vulnerable Sentry device. Chained with CVE-2026-10520, an attacker can first achieve root RCE, then use CVE-2026-10523 to create a persistent backdoor admin account. The critical consequence: an organization that applies the Sentry patches without first auditing the device for unauthorized administrative accounts may close the initial RCE entry point while leaving an implanted admin backdoor fully intact and operational. Ivanti urged customers to review their device’s administrative account inventory as part of the response, not just apply the patch versions.
Why Ivanti’s Repeated CVE Pattern Made Sentry an Expected Nation-State Target
Ivanti products have been among the most consistently exploited enterprise network devices in recent years. Connect Secure, Policy Secure, EPMM, and MobileIron have each seen critical vulnerability disclosures followed by rapid exploitation campaigns, several attributed to China-nexus APT groups and Iranian state-sponsored actors who targeted Ivanti devices specifically because of their privileged position in enterprise network architecture. These actors have historically moved within hours of a PoC becoming available for Ivanti appliances.
Sentry enters that list under nearly identical conditions to prior campaigns: a maximum-severity RCE flaw, a same-day proof-of-concept, and a deployment model that puts the device inline with corporate communications. The device’s role as a gateway for mobile email and enterprise data makes it a higher-value target than a typical edge appliance — control over Sentry means visibility into the mobile communications of every employee whose device routes traffic through it.
Shadowserver Confirms Backdoored Instances Within Hours of CVE-2026-10520 Disclosure
The Shadowserver Foundation was tracking nineteen publicly accessible Ivanti Sentry instances at the time of disclosure. Within hours of the vulnerability and PoC becoming public, Shadowserver confirmed that two of those nineteen tracked instances had been backdoored — a ten percent compromise rate among the visible population in a timeframe measured in hours, not days. The foundation also observed a large volume of exploitation attempts against the broader Sentry population, consistent with opportunistic automated scanning behavior seen in prior Ivanti CVE campaigns.
Organizations with Sentry devices that were internet-exposed before patching should conduct a forensic review of the device’s administrative account list and examine logs for signs of unauthorized API access before concluding no breach occurred.
Patching CVE-2026-10520 and Auditing for CVE-2026-10523 Admin Account Backdoors
Ivanti recommended immediate patching and advised customers to restrict access to the vulnerable API endpoint as a temporary mitigation while updates are applied. The combination of maximum CVSS severity, an immediately available PoC, and confirmed backdooring makes the Sentry disclosures among the most time-critical patch requirements in the current cycle.
The dual-flaw structure of this disclosure is what distinguishes it from a single CVE advisory: patching the RCE flaw alone does not restore security for any device where an attacker used the hours between disclosure and patching to establish a CVE-2026-10523 admin account. The remediation scope requires both the software update and an account audit — two distinct actions that organizations accustomed to treating patching as a complete response will need to approach differently. Ivanti’s extended vulnerability history suggests that this device class will continue to be a priority target for sophisticated actors regardless of any individual CVE cycle.
