Ivanti Sentry OS Command Injection Vulnerability (CVE-2026-10520)

Severity Assessment

• Exploitability: 9/10 - NVD describes a remote unauthenticated path to root-level remote code execution on affected Ivanti Sentry releases.
• Impact: 10/10 - Successful exploitation can give an attacker root execution on an internet-facing appliance that brokers traffic between mobile devices and backend systems.
• Weaponization Risk: 10/10 - The issue is in CISA’s Known Exploited Vulnerabilities catalog and the vendor advisory ships patches for affected releases.
• Patch Urgency: 10/10 - CISA lists a required action date of 2026-06-14, which leaves a short remediation window for exposed systems.
• Detection Coverage: 4/10 - The public sources focus on version and exposure checks; they do not publish strong unique network or host indicators for exploitation.

Summary

CVE-2026-10520 is an OS command injection vulnerability in Ivanti Sentry. NVD says the bug affects Sentry releases before R10.5.2, R10.6.2, and R10.7.1 and can allow a remote unauthenticated user to achieve root-level remote code execution.

Ivanti published a security advisory for CVE-2026-10520 and CVE-2026-10523 on 2026-06-09. CISA added CVE-2026-10520 to the Known Exploited Vulnerabilities catalog on 2026-06-11, which raises the priority for defenders that expose Sentry to untrusted networks. Ivanti Sentry sits in the traffic path between mobile devices and enterprise systems, so compromise can affect authentication, traffic handling, and downstream access control.

The public sources do not identify a threat actor or describe a confirmed victim set. The safest response is to identify exposed Sentry instances, apply Ivanti’s fixed releases, and treat any suspected exploitation as a full appliance incident.

Exploit Chain

Stage 1: Exposed Ivanti Sentry Instance

The attacker targets an Ivanti Sentry deployment that is reachable over the network and still runs a release older than R10.5.2, R10.6.2, or R10.7.1.

Stage 2: Crafted Request Reaches the Command Injection Path

The attacker sends a crafted request to the vulnerable Sentry component. NVD describes the issue as a remote unauthenticated OS command injection, which means no prior authentication is required to reach the vulnerable code path.

Stage 3: Operating System Command Execution

The injected input is passed into a command execution path on the appliance. That lets the attacker run commands with the privileges of the affected service and move from application control to system control.

Stage 4: Root-Level Remote Code Execution

NVD states that successful exploitation can give the remote attacker root-level remote code execution. On an appliance in the traffic path, that level of access can expose stored credentials, session material, and administrative control data.

Stage 5: Post-Compromise Follow-On Activity

With root access, the attacker can change appliance configuration, capture traffic, disable controls, and use the appliance as a foothold for broader access. Defenders should assume the system is fully compromised until it is rebuilt or otherwise validated as clean.

Detection Guidance

Inventory every Ivanti Sentry deployment and compare it to the affected releases listed by NVD and Ivanti. Prioritize devices that are internet-facing or reachable from untrusted networks.

Review reverse-proxy, application, and appliance logs for requests that look like command injection attempts against Sentry endpoints. Correlate suspicious requests with command execution, service restarts, or crash behavior on the appliance.

Monitor for unexpected changes to Sentry configuration, administrative accounts, certificates, routing rules, and authentication policy. Treat unplanned changes on an exposed appliance as evidence that the platform may have been abused.

Validate that patched releases are deployed: R10.5.2, R10.6.2, and R10.7.1 or later, based on the affected branch. Where immediate patching is not possible, isolate the appliance from untrusted exposure and restrict administrative access to trusted networks only.

Preserve logs, configuration exports, and forensic images before remediation when compromise is suspected. The appliance handles traffic and identity-related functions, so responders should assume the attacker may have modified both state and access paths.

Indicators of Compromise

The public sources do not publish a unique payload hash, IP list, or actor infrastructure for CVE-2026-10520. Use the following as triage leads rather than proof of compromise.

Network indicators:

• Requests to Ivanti Sentry endpoints that contain shell metacharacters, command separators, or other injection markers.
• Repeated unauthenticated requests that align with the vulnerable Sentry management or proxy surface.
• Traffic anomalies followed by appliance restarts or configuration changes.

Host indicators:

• Unexpected command execution on the Sentry appliance.
• Sudden service restarts, crash loops, or administrative actions that do not match change records.
• Configuration drift in certificates, routing, authentication, or access-control settings.

Log indicators:

• Appliance or application logs that show malformed requests followed by command execution errors.
• Administrative log entries that do not match approved maintenance windows.
• Events that show new accounts, policy changes, or service changes without an operator change ticket.

Disclosure Timeline

2026-06-09 — Ivanti Advisory Published

Ivanti published its security advisory for CVE-2026-10520 and CVE-2026-10523, and the company released fixed versions for affected Ivanti Sentry branches.

2026-06-09 — NVD Record Published

NVD published the CVE-2026-10520 record and described the issue as an OS command injection that can yield root-level remote code execution.

2026-06-11 — CISA KEV Entry Added

CISA added CVE-2026-10520 to the Known Exploited Vulnerabilities catalog and set a remediation due date of 2026-06-14.

Sources & References

• Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-11
• National Vulnerability Database: CVE-2026-10520 Detail — National Vulnerability Database, 2026-06-11
• Ivanti: Security Advisory for Ivanti Sentry CVE-2026-10520 and CVE-2026-10523 — Ivanti, 2026-06-09