Ivanti Sentry Patches Address Two Critical Flaws Including Maximum Severity RCE Bug

Ivanti has released security patches for two critical vulnerabilities in its Sentry enterprise mobile gateway product, formerly known as MobileIron Sentry. One of the flaws, CVE-2026-10520, carries the maximum CVSS severity score of 10.0 and allows a remote unauthenticated attacker to execute arbitrary code with root privileges.

Both vulnerabilities affect Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. The second flaw, CVE-2026-10523, scores 9.9 on the CVSS scale and is an authentication bypass that lets a remote unauthenticated attacker create arbitrary administrative accounts and gain full administrative access to the appliance.

Attack Vector and Exploitation Mechanics

Security researchers at watchTowr Labs published a detailed analysis of CVE-2026-10520, describing how an attacker can trigger the vulnerability by sending a specially crafted HTTP request to the endpoint "/mics/api/v2/sentry/mics-config/handleMessage." That request is interpreted as a MICS configuration command and executed by a backend function called handleExecute(). Ivanti’s patch blocks unauthenticated access to that endpoint and redirects requests to the login page.

• Ivanti said the fix adds authentication controls, making it harder for attackers to reach the vulnerable execution path without a valid session.
• Security researcher Sonny Macdonald noted that Ivanti added a layer of protection in front of the vulnerable endpoint rather than simply removing attacker control over the execution path.
• The Shadowserver Foundation reported observing a large volume of exploitation attempts based on the public proof of concept code, with at least two vulnerable instances already backdoored.

Immediate Threat and Mitigation Steps

Organizations running Ivanti Sentry should prioritize updating to versions R10.5.2, R10.6.2, or R10.7.1 immediately. The combination of a maximum severity RCE bug and an authentication bypass makes these vulnerabilities particularly dangerous in enterprise environments where Sentry is used to secure mobile device connections to internal resources. Ivanti has not updated its advisory to reflect the exploitation status, despite evidence of active attacks.

Network defenders should also monitor for unusual administrative account creation or unexpected outbound connections from Sentry appliances. The public availability of exploit code combined with reports of backdoored instances means the window for unpatched systems is closing rapidly.