Security Advisory - Published 2026-06-12 - Ivanti Sentry
Ivanti Sentry CVE-2026-10520 and CVE-2026-10523: patch and compromise review
Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 is affected by two critical issues: CVE-2026-10520 allows unauthenticated root-level command execution, and CVE-2026-10523 allows unauthenticated creation of administrative accounts. CISA added CVE-2026-10520 to the Known Exploited Vulnerabilities catalog on 2026-06-11.
Who should check
- Organizations running Ivanti Sentry before R10.5.2, R10.6.2, or R10.7.1.
- Mobile access, email access, or app gateway deployments exposed to the internet.
- MSPs managing Ivanti appliances for several clients.
- Teams that saw unexplained admin account changes after 2026-06-09.
10-minute self-check
Confirm version and exposure
# Check the appliance UI or vendor management console for the exact Sentry release.
# Record whether the management interface or Sentry service is internet-facing.
# Preserve screenshots or exported system information before patching. The affected boundary is the appliance, not a web app library. Confirm the running Sentry release and every network path that can reach it from the internet, VPN, partner networks, or management VLANs.
Review admin and service accounts
# Export the current admin user list from the Ivanti console.
# Compare against a known-good list from before 2026-06-09.
# Check recent account creation, role changes, and failed login bursts. CVE-2026-10523 makes admin account review mandatory. Treat any unexplained account or role change as suspicious until logs prove otherwise.
Review connected systems
# Identify mail, mobile, identity, and application services connected through Sentry.
# Plan token, session, and credential rotation if compromise is suspected. Sentry sits near credentials and sessions. A clean patch does not answer whether a vulnerable appliance was already used to pivot into connected services.
Safe fix path
- Update to R10.5.2, R10.6.2, R10.7.1, or a later vendor-supported release.
- Restrict management and appliance access while the update is being applied.
- Export logs and account state before deleting suspicious users.
- Review administrator accounts, API integrations, connected identity providers, and mail/app gateways.
- Rotate credentials and tokens if there is any sign of unauthorized access.
Ping7 repair path
Ping7 can help with exposure review, account inventory, log triage, and post-patch verification for owned Ivanti Sentry environments. Use CVE Repair and include the Sentry version, exposure path, and first suspicious timestamp.