OS command injection in Ivanti Sentry (CVE-2026-10520) — unauthenticated root-level remote control
Ivanti Sentry (formerly MobileIron Sentry), a mobile-device management gateway, contains an OS command injection flaw that lets a remote, unauthenticated attacker execute code as root. CISA listed it as known-exploited (KEV) (CVSS 10.0 Critical, per NVD).
Key facts
- CVE IDCVE-2026-10520
- CVSS base score10 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Affected (vendor / product)Ivanti Sentry
- CWECWE-78
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-06-14 (U.S. federal civilian agencies, BOD 22-01)
Key points
- OS command injection (CWE-78) in Ivanti Sentry (formerly MobileIron Sentry; a mobile-management gateway)
- In an unmanaged state, a remote, unauthenticated attacker can execute code as root
- Listed in CISA KEV = exploitation confirmed; NVD base score is the maximum 10.0 Critical
- Response: apply Ivanti's official fixes/mitigations and review external exposure and access logs
- Federal civilian remediation deadline was June 14, 2026 (a practical benchmark for others)
CVE-2026-10520 is an OS command injection vulnerability (CWE-78) in Ivanti Sentry (formerly MobileIron Sentry). Sentry is a gateway product that sits between mobile devices (smartphones, etc.) and internal mail/app systems, relaying traffic and handling authentication.
Per public information, when the Sentry appliance is in an unmanaged state, a remote, unauthenticated attacker can achieve root-level remote code execution (RCE). OS command injection is a flaw where input that should be treated as data is instead interpreted and executed as an OS command inside the device; when it succeeds, the device itself can be taken over.
This class of device is dangerous because (1) it sits at the boundary between the internet and the internal network and is reachable from outside, and (2) as the linchpin connecting mobile devices and internal systems, its compromise becomes a foothold for internal intrusion. The flaw needs no authentication and has low complexity, with impact extending beyond the device itself.
Key response: check Ivanti's official advisory, identify affected versions, and apply the provided fixes/mitigations. CISA required U.S. federal civilian agencies to remediate by June 14, 2026 (a practical benchmark for others), and because this is a perimeter device the earliest possible action is advisable. Also review each appliance's managed/unmanaged state and external exposure, and check logs for suspicious access.
Why it matters
Any organization running mobile-device management via a boundary gateway can be affected. Unauthenticated root RCE leads directly to initial intrusion, so asset inventory (which Sentry units are exposed), prompt patching, and log review are the priorities. It reflects the continued targeting of perimeter appliances.
FAQ
What is Ivanti Sentry?
What is OS command injection?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).