Ivanti Releases Security Advisory for Critical Vulnerabilities in Sentry
If exploited, two critical vulnerabilities could allow for unauthenticated OS command injection or authentication bypass
Summary
If exploited, two critical vulnerabilities could allow for unauthenticated OS command injection or authentication bypass
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2026-10520 in the wild
Following the release of a proof-of-concept exploit, cyber security researchers are reporting exploitation of vulnerability CVE-2026-10520 in the wild.
The NHS England National CSOC assesses further exploitation as almost certain.
Introduction
Ivanti has released a security advisory to address two critical vulnerabilities in Ivanti Sentry. Successful exploitation could allow unauthenticated attackers to gain full administrative control or execute commands with root privileges on affected systems.
- CVE-2026-10520 - Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection') vulnerability - CVSSv3 Score: 10.0
- CVE-2026-10523 - Authentication Bypass Using an Alternate Path or Channel vulnerability - CVSSv3 Score: 9.9
Threat updates
| Date | Update |
|---|---|
| 11 Jun 2026 | Exploitation of CVE-2026-10520 in the wild |
Remediation advice
Affected organisations are encouraged to review Ivanti Security Advisory Ivanti Sentry (CVE-2026-10520, CVE-2026-10523) and apply the relevant updates as soon as possible.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 11 June 2026 11:47 am