Security Advisory - Published 2026-06-12 - Ivanti Sentry

Ivanti Sentry CVE-2026-10520 and CVE-2026-10523: patch and compromise review

Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 is affected by two critical issues: CVE-2026-10520 allows unauthenticated root-level command execution, and CVE-2026-10523 allows unauthenticated creation of administrative accounts. CISA added CVE-2026-10520 to the Known Exploited Vulnerabilities catalog on 2026-06-11.

Defensive scope: this is an exposure and incident-review checklist. Do not test internet-facing appliances with exploit requests. Patch first, preserve logs, and review account changes.

Who should check

  • Organizations running Ivanti Sentry before R10.5.2, R10.6.2, or R10.7.1.
  • Mobile access, email access, or app gateway deployments exposed to the internet.
  • MSPs managing Ivanti appliances for several clients.
  • Teams that saw unexplained admin account changes after 2026-06-09.

10-minute self-check

Confirm version and exposure

# Check the appliance UI or vendor management console for the exact Sentry release.
# Record whether the management interface or Sentry service is internet-facing.
# Preserve screenshots or exported system information before patching.

The affected boundary is the appliance, not a web app library. Confirm the running Sentry release and every network path that can reach it from the internet, VPN, partner networks, or management VLANs.

Review admin and service accounts

# Export the current admin user list from the Ivanti console.
# Compare against a known-good list from before 2026-06-09.
# Check recent account creation, role changes, and failed login bursts.

CVE-2026-10523 makes admin account review mandatory. Treat any unexplained account or role change as suspicious until logs prove otherwise.

Review connected systems

# Identify mail, mobile, identity, and application services connected through Sentry.
# Plan token, session, and credential rotation if compromise is suspected.

Sentry sits near credentials and sessions. A clean patch does not answer whether a vulnerable appliance was already used to pivot into connected services.

Safe fix path

  1. Update to R10.5.2, R10.6.2, R10.7.1, or a later vendor-supported release.
  2. Restrict management and appliance access while the update is being applied.
  3. Export logs and account state before deleting suspicious users.
  4. Review administrator accounts, API integrations, connected identity providers, and mail/app gateways.
  5. Rotate credentials and tokens if there is any sign of unauthorized access.

Ping7 repair path

Ping7 can help with exposure review, account inventory, log triage, and post-patch verification for owned Ivanti Sentry environments. Use CVE Repair and include the Sentry version, exposure path, and first suspicious timestamp.

References