Ivanti patches – Ivanti has released patches for two critical vulnerabilities in its Sentry secure mobile gateway, including a maximum-severity OS command injection flaw that allows remote attackers to execute code as root. The company says it has found no evidence of active e
The worry hits security teams before the day is even over: Ivanti has patched a maximum-severity Sentry flaw that can let a remote attacker execute code with root privileges.
The issue affects Ivanti’s Sentry secure mobile gateway appliance, which secures traffic between back-end corporate systems and remote mobile devices. The company released fixes for two separate vulnerabilities on Tuesday, calling out one as the worst possible severity.
Tracked as CVE-2026-10520, the maximum-severity vulnerability is rooted in an OS command injection weakness. In practical terms, it opens the door for remote code execution with root privileges.
Just days’ worth of patch backlog could matter because Ivanti also addressed a second critical problem in the same product. Tracked as CVE-2026-10523, the second flaw is a critical authentication bypass. Ivanti says it can be exploited remotely by unauthenticated attackers to create rogue administrative accounts and gain full administrative access.
Ivanti moved quickly with remediation. On Tuesday, it released Sentry versions R10.5.2, R10.6.2, and R10.7.1 to patch both security issues.
For defenders. the most urgent sentence in Ivanti’s communication is the one that suggests this hasn’t already turned into a widespread incident. The company said it has no evidence that the two vulnerabilities are being exploited in the wild. and it advised admins to upgrade their systems to protect against potential attacks.
“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure,” Ivanti said. “Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise.”
That reassurance doesn’t erase the broader pressure security teams have felt for years around Ivanti vulnerabilities. In recent years. Ivanti issues have often been targeted because they provide cybercriminals an easier route into enterprise networks—routes that can lead to theft of sensitive corporate and customer data.
The pattern has already pulled regulators into action. In May, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies to patch Ivanti devices after Ivanti warned customers to immediately patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) that was exploited in zero-day attacks.
The same cycle has continued elsewhere. Ivanti has also addressed multiple other zero-days in recent years that were exploited to breach a wide range of targets. including government agencies worldwide. Ivanti said two other critical EPMM vulnerabilities addressed in January were exploited as zero-days in attacks against a “very limited number of customers.”.
CISA, for its part, has tagged 34 vulnerabilities across various SolarWinds products as actively exploited in attacks over the past several years. CISA says 12 of those vulnerabilities were also used in ransomware attacks.
Ivanti’s reach is significant enough that these updates are rarely treated as niche maintenance. Its IT asset management solutions are used by over 40,000 clients worldwide, supported by a network of over 7,000 partners and over 3,000 employees.
With CVE-2026-10520 and CVE-2026-10523 both treated as critical. and with patches now available in Sentry versions R10.5.2. R10.6.2. and R10.7.1. the immediate question for administrators is straightforward: how fast can you get every exposed Sentry system upgraded—before an issue that hasn’t been publicly exploited yet becomes one that attackers can rely on?.
Ivanti Sentry CVE-2026-10520 CVE-2026-10523 OS command injection root code execution authentication bypass mobile security gateway cybersecurity patches enterprise security