Critical Ivanti Sentry Flaw Exploited in the Wild Just Days After Patch Release
Attackers are actively targeting a recently patched maximum-severity vulnerability (CVE-2026-10520) in Ivanti Sentry, a security gateway appliance that secures mobile device traffic to corporate systems. The flaw, an OS command injection weakness, allows threat actors to execute code with root privileges on exposed instances.
Ivanti released patches on August 20 for affected versions (R10.5.2, R10.6.2, and R10.7.1), initially stating there was no evidence of exploitation. However, the Shadowserver Foundation reported the next day that attackers had already backdoored most exposed Sentry gateways. While Shadowserver’s scans detected only 19 vulnerable instances with at least two confirmed compromised it warned that many more may be unreachable due to blocklisting, suggesting broader exploitation.
Hackers frequently target Ivanti vulnerabilities to gain access to enterprise networks, often leading to data theft or further compromise. Recent incidents include zero-day exploits against government agencies and critical flaws in Endpoint Manager Mobile (EPMM), some of which were leveraged in ransomware attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has flagged 34 Ivanti vulnerabilities as actively exploited in the wild, with 12 tied to ransomware campaigns.
Ivanti’s solutions are widely deployed, serving over 40,000 customers globally, including government and enterprise networks. Despite the urgency, Ivanti has not yet updated its advisory to reflect the ongoing attacks.
Ivanti cybersecurity rating report: https://www.rankiteo.com/company/ivanti
"id": "IVA1781166735",
"linkid": "ivanti",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'At least two confirmed, '
'potentially more',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'Ivanti',
'size': '40,000+ customers',
'type': 'Technology Vendor'}],
'attack_vector': 'Exploiting unpatched vulnerability in Ivanti Sentry',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'Corporate system access, mobile '
'device traffic'},
'date_publicly_disclosed': '2024-08-21',
'description': 'Attackers are actively targeting a recently patched '
'maximum-severity vulnerability (CVE-2026-10520) in Ivanti '
'Sentry, a security gateway appliance that secures mobile '
'device traffic to corporate systems. The flaw, an OS command '
'injection weakness, allows threat actors to execute code with '
'root privileges on exposed instances. Hackers have backdoored '
'most exposed Sentry gateways, with at least two confirmed '
'compromised.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Potential unauthorized access to corporate '
'systems',
'systems_affected': 'Ivanti Sentry gateways'},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'Exploiting CVE-2026-10520',
'high_value_targets': 'Enterprise and government '
'networks'},
'investigation_status': 'Ongoing',
'motivation': ['Data theft', 'Further network compromise', 'Ransomware'],
'post_incident_analysis': {'corrective_actions': 'Patch deployment, enhanced '
'monitoring for exploitation',
'root_causes': 'Unpatched vulnerability in Ivanti '
'Sentry'},
'ransomware': {'data_exfiltration': True},
'recommendations': 'Apply Ivanti patches immediately, monitor for signs of '
'compromise, and review CISA advisories for Ivanti '
'vulnerabilities.',
'references': [{'source': 'Shadowserver Foundation'},
{'source': 'Ivanti Advisory'},
{'source': 'CISA'}],
'response': {'remediation_measures': 'Patch released (R10.5.2, R10.6.2, '
'R10.7.1)'},
'title': 'Critical Ivanti Sentry Flaw Exploited in the Wild Just Days After '
'Patch Release',
'type': 'OS Command Injection',
'vulnerability_exploited': 'CVE-2026-10520'}