CVE-2026-10520 is a critical OS command injection vulnerability in Ivanti Sentry that allows remote, unauthenticated attackers to execute arbitrary code with root privileges by accessing the management port (8443). Ivanti patched this vulnerability in versions 10.5.2, 10.6.2, and 10.7.1 on June 10, 2026. The US CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging rapid patching. However, exploitation attempts have only been detected on honeypots, indicating no confirmed active exploitation in production environments. The vulnerability's risk is significantly reduced when the appliance is managed via mTLS or restricted HTTPS access, which blocks external access to the management interfaces. Ivanti advises that management interfaces should never be exposed to the internet, and unmanaged Sentry instances are not intended for production use.

Successful exploitation allows remote attackers to execute arbitrary OS commands with root privileges on the affected Ivanti Sentry appliance. This could lead to full system compromise. However, exploitation requires access to the management port, which is typically protected or should be restricted from external access. The vulnerability is critical with a CVSS score of 10.0, but real-world risk is mitigated by deployment configurations such as mTLS and restricted HTTPS access. No confirmed in-the-wild exploitation has been reported beyond honeypot detections.

Apply the official patches released by Ivanti on June 10, 2026, for versions 10.5.2, 10.6.2, and 10.7.1. Ensure that the management port (8443) is not exposed to the internet. Use mTLS with EPMM or restrict HTTPS access through Neurons for MDM to prevent external access to vulnerable APIs. Unmanaged Sentry appliances should not be used in production environments. Follow CISA guidance to prioritize patching within three days for federal agencies and similarly critical environments.