The second flaw, CVE-2026-10520, is a command injection issue that can lead to remote code execution with root privileges on the underlying OS. Because the vulnerability can be exploited remotely without authentication, it is rated with the maximum CVSS severity score of 10.
Ivanti Sentry is an in-line gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise servers such as Microsoft Exchange. It works together with Ivanti Endpoint Manager Mobile (EPMM) to enforce access restrictions and device verification. As such, the appliance is typically deployed at the enterprise network edge and is accessible from the internet.
Both vulnerabilities were reported privately through Ivanti’s responsible disclosure program, and the company is not aware of public exploitation at this time. But attackers, including state-sponsored cyberespionage groups, have exploited vulnerabilities in Ivanti products and network-edge appliances many times in the past.
Furthermore, researchers from security firm watchTowr have posted a detailed analysis of CVE-2026-10520 and the exploit is trivial to execute. The researchers released a Python script that enables organizations to test whether their deployments are vulnerable.
