Address: Rue de la Loi 107, 1049 Brussels, Belgium Tel: +32 2 295 2100

Security Advisory 2026-008

Release Date:

Critical vulnerabilities in Ivanti Sentry

Download

History:

  • 10/06/2026 --- v1.0 -- Initial publication

Summary

On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.

Technical Details

The vulnerability CVE-2026-10520, with a CVSS score of 10, is an OS Command Injection vulnerability in Ivanti Sentry which allows a remote unauthenticated user to achieve root-level remote code execution[2].

The vulnerability CVE-2026-10523, with a CVSS score of 9.9, is an Authentication Bypass vulnerability in Ivanti Sentry which allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

Affected Products

The following versions of Ivanti Sentry are affected:

  • 10.5.1 and prior.
  • 10.6.1 and prior.
  • 10.7.0 and prior.

Recommendations

CERT-EU recommends following the vendor's guidance to update their appliance to one of the fixed versions[1].

References

[1] https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523

[2] https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.