{
    "@context": "https://schema.org",
    "@type": "NewsArticle",
    "@id": "https://hostdir.net/blog/ivanti-sentry-patches-address-two-critical-flaws-including-maximum-severity-rce-bug",
    "headline": "Ivanti Sentry Patches Address Two Critical Flaws Including Maximum Severity RCE Bug",
    "url": "https://hostdir.net/blog/ivanti-sentry-patches-address-two-critical-flaws-including-maximum-severity-rce-bug",
    "datePublished": "2026-06-11T23:12:00+00:00",
    "dateModified": "2026-06-11T23:50:29+00:00",
    "author": {
        "@type": "Organization",
        "name": "HostDir News Desk",
        "url": "https://hostdir.net"
    },
    "publisher": {
        "@type": "Organization",
        "name": "HostDir",
        "url": "https://hostdir.net",
        "logo": {
            "@type": "ImageObject",
            "url": "https://hostdir.net/assets/logo.svg"
        }
    },
    "image": "https://hostdir.net/uploads/news/ae5be1bc65a7e136.webp",
    "description": "Ivanti has released patches for two critical vulnerabilities in its Sentry product, including a maximum severity OS command injection bug. One flaw scores a perfect 10.0.",
    "articleSection": "Security",
    "articleBody": "Ivanti has released security patches for two critical vulnerabilities in its Sentry enterprise mobile gateway product, formerly known as MobileIron Sentry. One of the flaws, CVE-2026-10520, carries the maximum CVSS severity score of 10.0 and allows a remote unauthenticated attacker to execute arbitrary code with root privileges.Both vulnerabilities affect Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. The second flaw, CVE-2026-10523, scores 9.9 on the CVSS scale and is an authentication bypass that lets a remote unauthenticated attacker create arbitrary administrative accounts and gain full administrative access to the appliance.Attack Vector and Exploitation MechanicsSecurity researchers at watchTowr Labs published a detailed analysis of CVE-2026-10520, describing how an attacker can trigger the vulnerability by sending a specially crafted HTTP request to the endpoint \"/mics/api/v2/sentry/mics-config/handleMessage.\" That request is interpreted as a MICS configuration command and executed by a backend function called handleExecute(). Ivanti’s patch blocks unauthenticated access to that endpoint and redirects requests to the login page.Ivanti said the fix adds authentication controls, making it harder for attackers to reach the vulnerable execution path without a valid session.Security researcher Sonny Macdonald noted that Ivanti added a layer of protection in front of the vulnerable endpoint rather than simply removing attacker control over the execution path.The Shadowserver Foundation reported observing a large volume of exploitation attempts based on the public proof of concept code, with at least two vulnerable instances already backdoored.Immediate Threat and Mitigation StepsOrganizations running Ivanti Sentry should prioritize updating to versions R10.5.2, R10.6.2, or R10.7.1 immediately. The combination of a maximum severity RCE bug and an authentication bypass makes these vulnerabilities particularly dangerous in enterprise environments where Sentry is used to secure mobile device connections to internal resources. Ivanti has not updated its advisory to reflect the exploitation status, despite evidence of active attacks.Network defenders should also monitor for unusual administrative account creation or unexpected outbound connections from Sentry appliances. The public availability of exploit code combined with reports of backdoored instances means the window for unpatched systems is closing rapidly.",
    "mainEntityOfPage": "https://hostdir.net/blog/ivanti-sentry-patches-address-two-critical-flaws-including-maximum-severity-rce-bug",
    "citation": [
        {
            "@type": "CreativeWork",
            "name": "Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities",
            "url": "https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html"
        },
        {
            "@type": "CreativeWork",
            "name": "Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9",
            "url": "https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428"
        },
        {
            "@type": "CreativeWork",
            "name": "Ivanti: Max severity Sentry flaw allows code execution as root",
            "url": "https://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/"
        }
    ],
    "_hostdir": {
        "kind": "news-article",
        "slug": "ivanti-sentry-patches-address-two-critical-flaws-including-maximum-severity-rce-bug",
        "canonical": "https://hostdir.net/blog/ivanti-sentry-patches-address-two-critical-flaws-including-maximum-severity-rce-bug",
        "category": "security",
        "sources": [
            {
                "url": "https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html",
                "title": "Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities",
                "source_name": "The Hacker News",
                "source_slug": "hacker-news"
            },
            {
                "url": "https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428",
                "title": "Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9",
                "source_name": "The Register",
                "source_slug": "register-headlines"
            },
            {
                "url": "https://www.bleepingcomputer.com/news/security/new-max-severity-ivanti-sentry-flaw-allows-code-execution-as-root/",
                "title": "Ivanti: Max severity Sentry flaw allows code execution as root",
                "source_name": "BleepingComputer",
                "source_slug": "bleeping-computer"
            }
        ],
        "fact_checks": [
            {
                "claim": "CVE-2026-10520 has a CVSS score of 10.0 and allows unauthenticated remote code execution with root privileges.",
                "source_url": "https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html",
                "verdict": "verified"
            },
            {
                "claim": "CVE-2026-10523 is an authentication bypass that allows an attacker to create arbitrary administrative accounts.",
                "source_url": "https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html",
                "verdict": "verified"
            },
            {
                "claim": "The Shadowserver Foundation observed a large volume of exploitation attempts and reported at least two backdoored instances.",
                "source_url": "https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html",
                "verdict": "reported"
            },
            {
                "claim": "The vulnerable endpoint is /mics/api/v2/sentry/mics-config/handleMessage.",
                "source_url": "https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html",
                "verdict": "verified"
            }
        ],
        "internal_links": [
            {
                "anchor": "create",
                "target_url": "/providers/create",
                "target_kind": "provider"
            },
            {
                "anchor": "reach",
                "target_url": "/datacenters?operator=reach",
                "target_kind": "datacenter_operator"
            },
            {
                "anchor": "HTTP",
                "target_url": "/providers/http",
                "target_kind": "provider"
            }
        ],
        "attribution": "HostDir News Desk — https://hostdir.net/blog/ivanti-sentry-patches-address-two-critical-flaws-including-maximum-severity-rce-bug"
    }
}