Ivanti Sentry Exploit Goes Live: Most Exposed Gateways Backdoored

Key Takeaways

• CVE-2026-10520 allows unauthenticated attackers to execute commands with root privileges on Ivanti Sentry gateways
• Shadowserver reports at least 2 of 19 scanned instances are confirmed backdoored, with all remaining likely compromised
• The exploit is trivial and requires zero credentials, making immediate patching critical

Attackers wasted no time. Within 24 hours of Ivanti releasing patches for a critical vulnerability in its Sentry gateway appliance, threat actors had already compromised most of the internet-exposed systems.

The vulnerability, tracked as CVE-2026-10520, carries the maximum CVSS score of 10.0. It lets unauthenticated attackers execute arbitrary commands with root privileges on affected systems. No credentials required. No user interaction needed.

Ivanti Sentry, formerly known as MobileIron Sentry, is a security gateway appliance that manages encrypted traffic between remote mobile devices and corporate back-end systems. It sits at a critical junction in enterprise networks. Compromise it, and attackers can intercept sensitive data or pivot deeper into internal infrastructure.

What Happened

Ivanti patched the OS command injection flaw on Tuesday, June 10, releasing Sentry versions R10.5.2, R10.6.2, and R10.7.1. At that time, the company said it had no evidence of exploitation in the wild.

That changed fast. By Wednesday, the Shadowserver Foundation, a nonprofit security organization that monitors internet threats, detected widespread exploitation attempts.

Shadowserver's scans found 19 vulnerable Sentry instances. At least two were confirmed backdoored, with assistance from Saudi Arabia's National Cybersecurity Authority. The organization believes all remaining exposed instances are likely compromised as well.

The actual number of vulnerable systems is probably higher. Shadowserver noted that many Sentry instances block their search engine, limiting visibility.

Why This Exploit Is Dangerous

Security researchers at watchTowr Labs analyzed the vulnerability and published a proof-of-concept scanner. Their assessment was blunt.

“The vulnerability is trivial to exploit... allowing an unauthenticated remote attacker to execute arbitrary commands with root privileges.”

— Research Team, watchTowr Labs

The combination of factors makes this particularly severe. The flaw requires no authentication. Exploitation grants the highest level of system access. And public exploit code appeared almost immediately after the patch.

Ivanti's Response

As of publication, Ivanti has not updated its security advisory. The document still states: "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure."

That statement was accurate when published on Tuesday. It is no longer accurate. BleepingComputer reports that Ivanti did not immediately respond to requests for comment on the ongoing attacks.

A Pattern of Ivanti Vulnerabilities

This is not an isolated incident. Ivanti products have become a frequent target for attackers seeking entry into enterprise networks.

In January 2026, Ivanti patched two critical Endpoint Manager Mobile (EPMM) vulnerabilities after they were exploited as zero-days. Last month, CISA ordered U.S. federal agencies to patch Ivanti systems after another high-severity EPMM flaw was abused in attacks.

Over the past several years, CISA has flagged 34 vulnerabilities across Ivanti products as actively exploited in the wild. Twelve of those were also used in ransomware attacks. Government agencies worldwide have been among the victims.

What You Should Do Now

If you run Ivanti Sentry, assume you are compromised unless you patched before June 10. Even then, verify.

1. Update immediately to Sentry versions R10.5.2, R10.6.2, or R10.7.1
2. Restrict access to the Sentry management interface and API to trusted IP ranges
3. Check for indicators of compromise, particularly unauthorized admin accounts or unexpected network connections
4. Review logs for command execution anomalies dating back to the public disclosure
5. Consider isolating or taking offline any unpatched Sentry instances until updates can be applied

Security professionals in forums and on social media are stressing urgency. The exploit is trivial. The scanning is widespread. The window between patch release and mass exploitation was measured in hours, not days.

Frequently Asked Questions

What is CVE-2026-10520?

CVE-2026-10520 is a critical OS command injection vulnerability in Ivanti Sentry that allows unauthenticated attackers to execute commands with root privileges. It carries the maximum CVSS score of 10.0.

Which Ivanti Sentry versions are affected?

Versions prior to R10.5.2, R10.6.2, and R10.7.1 are vulnerable. These patched versions were released on June 10, 2026.

How do I know if my Ivanti Sentry is compromised?

Check for unauthorized admin accounts, unexpected network connections, and unusual command execution in logs. Shadowserver suggests that any unpatched internet-exposed instance should be assumed compromised.

Why are Ivanti products frequently targeted?

Ivanti security appliances sit at network perimeters and handle sensitive traffic between mobile devices and corporate systems. Compromising them gives attackers a direct path into enterprise networks.

Has CISA issued guidance on this vulnerability?

As of June 11, 2026, CISA has not issued specific guidance on CVE-2026-10520. However, the agency has previously flagged 34 Ivanti vulnerabilities as actively exploited and has ordered federal agencies to patch other recent Ivanti flaws.

Source: BleepingComputer