CVE-2026-10520: Ivanti Sentry OS Command Injection Vulnerability
CVE-2026-10520 is a Severity not scored in source feed flaw in Ivanti Sentry. Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors. It is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-06-11), meaning it is being actively exploited. The fix: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.
Vulnerability details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-10520 |
| Vulnerability | Ivanti Sentry OS Command Injection Vulnerability |
| Vendor / product | Ivanti — Sentry |
| CVSS base score | Not in source feed |
| Severity | — |
| Weakness (CWE) | CWE-78 |
| Added to CISA KEV | 2026-06-11 |
| CISA remediation due | 2026-06-14 |
| Known ransomware use | Unknown |
Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.
What is the risk?
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
How to remediate CVE-2026-10520
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
U.S. federal civilian agencies were required to remediate this vulnerability by 2026-06-14 under CISA Binding Operational Directive 22-01. Private organizations should treat it with comparable urgency.
References
Frequently asked questions
What is CVE-2026-10520?
CVE-2026-10520 is a vulnerability in Ivanti Sentry: Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
How severe is CVE-2026-10520?
The CISA KEV catalog does not publish a CVSS base score for this entry. Check the NVD record for the official score. Its presence in the KEV catalog means it is confirmed to be exploited in the wild.
Is CVE-2026-10520 being exploited in the wild?
Yes. It appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, which only lists vulnerabilities with reliable evidence of active exploitation. It was added on 2026-06-11.
How do I fix CVE-2026-10520?
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Related vulnerabilities
- CVE-2026-6973: Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
- CVE-2009-3459: Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
- CVE-2025-48595: Android Framework Integer Overflow Vulnerability
- CVE-2026-7473: Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Last updated: 2026-06-13