The Ivanti Sentry security gateway appliance, used to secure traffic between corporate systems and remote mobile devices, contains a critical OS command injection vulnerability tracked as CVE-2026-10520. This flaw enables attackers to execute arbitrary code with root privileges on Internet-exposed Sentry gateways. Ivanti released patches for this vulnerability in versions R10.5.2, R10.6.2, and R10.7.1. Shortly after patch release, the Shadowserver organization reported active exploitation and backdooring of exposed Sentry instances, indicating attackers are leveraging publicly available proof-of-concept exploits. Although Ivanti initially reported no evidence of exploitation at disclosure, ongoing attacks have been observed. The vulnerability is exploited to gain root-level access, posing a severe risk to enterprise networks that rely on Ivanti Sentry for mobile device security. The vendor has not yet updated its advisory to acknowledge active exploitation. This vulnerability follows a pattern of Ivanti products being targeted for critical flaws that enable network intrusion and data theft.

Successful exploitation allows attackers to execute arbitrary code with root privileges on Internet-exposed Ivanti Sentry gateways. This can lead to full compromise of the gateway device, unauthorized access to corporate networks, potential data theft, and persistent backdoors. The vulnerability affects the security boundary between remote mobile devices and corporate back-end systems, increasing the risk of lateral movement and further network compromise. Active exploitation has been confirmed by third-party security researchers shortly after patch release, indicating a high risk to unpatched systems.

Ivanti has released official patches addressing this vulnerability in versions R10.5.2, R10.6.2, and R10.7.1 of Ivanti Sentry. Organizations should immediately apply these updates to affected systems. Since the vulnerability is actively exploited in the wild, unpatched systems are likely compromised. Ivanti has not updated its advisory to reflect ongoing exploitation, so users should rely on the patch and external security reports for guidance. No alternative mitigations or workarounds are indicated in the available information. Prompt patching is the primary and necessary remediation.