Ivanti Sentry Zero-Day Exploited in Attacks, Shadowserver Reports Widespread Compromise

Attackers are actively exploiting a maximum-severity vulnerability in Ivanti Sentry, a secure mobile gateway formerly known as MobileIron Sentry, to execute code with root privileges on internet-exposed appliances. The flaw, tracked as CVE-2026-10520, was patched by Ivanti on June 10, 2026, but the Shadowserver Foundation reported the next day that exploitation attempts were already widespread.

Shadowserver observed 19 vulnerable instances in its scans, with at least two confirmed backdoored. The organization warned that all remaining exposed gateways are likely compromised, noting that its detection is limited because many Ivanti Sentry instances blocklist its search engine.

Root-Level Code Execution via OS Command Injection

The vulnerability stems from an OS command injection weakness in Ivanti Sentry, allowing unauthenticated attackers to execute arbitrary commands as root. Ivanti released patches in versions R10.5.2, R10.6.2, and R10.7.1. At the time of disclosure, the company stated it had no evidence of exploitation, but public proof-of-concept code quickly followed, enabling mass scanning and attacks.

• CVE-2026-10520 carries a CVSS score of 10.0, the highest severity rating.
• Ivanti Sentry secures traffic between corporate back-end systems and remote mobile devices.
• Shadowserver reported that most internet-exposed Sentry instances are likely backdoored.
• Ivanti has not updated its advisory to reflect active exploitation as of June 11.
• Ivanti products have been flagged in 34 actively exploited vulnerabilities by CISA over the past several years.

Broader Threat Landscape: Oracle, ServiceNow, and Critical Infrastructure

The Ivanti attacks come amid a surge in security incidents targeting enterprise software. The ShinyHunters extortion gang is actively hacking Oracle PeopleSoft servers, claiming data theft from over 100 organizations. Separately, bug bounty research on ServiceNow inadvertently triggered false security alerts, causing organizations to believe they were breached. In Australia, a cyberattack shut down major sugar mills operated by the country's second-largest sugar producer, disrupting harvest operations. Meanwhile, the China-linked JDY botnet, associated with Volt Typhoon, has expanded its targeting of U.S. military networks, increasing reconnaissance efforts.

Organizations using Ivanti Sentry should immediately apply the available patches and assume compromise if their gateways were exposed. CISA has previously ordered federal agencies to patch Ivanti flaws within days, and similar urgency is warranted for this vulnerability. Ivanti's products are used by over 40,000 customers worldwide, making the attack surface significant.