COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-10520

CVE-2026-10520

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-06-11
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-10520
⚡ RCE ⌖ exploited in the wild shame 85/100 rceexploited-in-wildsupply-chain

Ivanti Sentry allows remote unauthenticated root access via command injection when appliances are unmanaged and externally reachable.

This OS command injection flaw enables remote code execution on unmanaged Sentry appliances, bypassing mTLS and restricted HTTPS controls. DIB orgs must ensure all Sentry devices are managed and patched immediately to prevent unauthorized root access and potential data exfiltration.

Shame score — A critical unauthenticated RCE vulnerability in a widely deployed MDM product that can be exploited when devices are left unmanaged.

Players implicated

Ivanti · vendorSentry · product

Description

Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.

Affected FedRAMP products 2 in the catalog

ProductProviderStatusMatch
Ivanti Neurons for ITSM (Formerly Service Manager) Ivanti Authorized vendor-exact · 0.90
Ivanti Neurons for MDM (Formerly MobileIron) Ivanti Authorized vendor-exact · 0.90