criticalCISA KEVCVE-2026-10520

Ivanti Sentry OS Command Injection Vulnerability

Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.

ProductSentry
CVSS10.0
EPSS0.99041
UpdatedJuly 9, 2026

Quick answer

Ivanti Sentry should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • 10.7.0

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Ivanti Sentry is affected by an unauthenticated OS command injection risk in vulnerable unmanaged or externally reachable configurations. Apply the Ivanti security update immediately, restrict exposure, and perform forensics review if the appliance was reachable from the internet. Treat root-level compromise as possible until logs and appliance state are reviewed.

  1. Inventory every Ivanti Sentry appliance, including unmanaged, legacy, and externally reachable deployments.
  2. Apply the Ivanti fixed release or remediation steps for CVE-2026-10520 from the official advisory.
  3. Ensure Sentry interfaces are protected by the supported mTLS or managed access model and not directly reachable from untrusted networks.
  4. Restrict HTTPS and management access to trusted MDM infrastructure and administrative networks only.
  5. Review appliance logs, process history, suspicious files, outbound connections, and configuration changes for root-level compromise indicators.
  6. Rotate MDM integration secrets, certificates, administrator credentials, and API tokens if exposure or compromise is suspected.
  7. Follow Ivanti and CISA triage guidance for appliances that were internet-exposed before patching.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the Sentry appliance reports the fixed Ivanti version or approved mitigation state.
  • Validate external interfaces are unreachable except through the required protected MDM path.
  • Review forensic triage evidence and appliance logs for command injection attempts.
  • Test mobile device connectivity and MDM synchronization after remediation.
  • Run a Fixnx scan and confirm public exposure does not include vulnerable Ivanti Sentry interfaces.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-10520?

Ivanti Sentry versions listed as affected should be reviewed: 10.7.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.