Ivanti has released patches for two critical vulnerabilities in its Sentry secure mobile gateway, including CVE-2026-10520, a maximum-severity OS command injection flaw that could let attackers execute code with root privileges. The company also fixed CVE-2026-10523, an authentication bypass that could allow unauthenticated remote attackers to create rogue administrative accounts and gain full admin access, while saying there is no evidence of active exploitation. #Ivanti #Sentry #CVE-2026-10520 #CVE-2026-10523
Keypoints
- Ivanti patched two critical vulnerabilities in Sentry.
- CVE-2026-10520 can enable remote code execution with root privileges.
- CVE-2026-10523 could let attackers bypass authentication and create admin accounts.
- Ivanti released fixes in Sentry versions R10.5.2, R10.6.2, and R10.7.1.
- The company said it has no evidence of exploitation in the wild and urged immediate upgrades.