A Severity-10.0 Takeover Flaw in Ivanti Sentry (CVE-2026-10520), No Password Needed

A device that serves as the single gateway to employees' phones and corporate email can now be taken over remotely, with no password at all. The product is Ivanti Sentry, part of the "mobile management" stack that companies use to control staff devices and email. It sits between corporate systems and phones like a gatekeeper. The flaw is tracked as CVE-2026-10520, and it received the maximum severity score of 10.0 out of 10.

Worse still, the same device has a second flaw that lets an attacker bypass the login they should need and create administrator accounts at will (CVE-2026-10523, severity 9.9). Chain the two together and an attacker can break in from the outside without a password and seize the device's highest privilege (administrator, the equivalent of root on Linux) in one motion. According to the U.S. National Vulnerability Database (NVD), both are resolved in fixed builds R10.5.2, R10.6.2, and R10.7.1.

Ivanti's products are meant to guard a company's front door, yet they have been turned into actual attack tools again and again. Ivanti Sentry itself was hit in 2023 by an almost identical type of flaw and ended up on the U.S. government's list of vulnerabilities known to be under active attack. This article explains, in plain terms, what Ivanti Sentry does, what the two new flaws let an attacker do, which versions are affected and what to patch, and why this product keeps getting targeted.

Which versions are affected, and how to update

The bottom line first. Ivanti Sentry closes both flaws (CVE-2026-10520 and CVE-2026-10523) once you update to the fixed builds R10.5.2, R10.6.2, or R10.7.1, or later. Per NVD, every version before those is affected. Sentry is maintained across several parallel branches (R10.5, R10.6, R10.7), so the basic move is to upgrade to the fixed build within the branch you run. You can check your version from the product's admin console or system information.

One thing to keep in mind: the flaws are reached through the management entry point exposed to the internet. Because Sentry bridges off-site phones and on-site systems, it is often deployed facing outward. If you cannot patch immediately, consider the stopgaps below (such as restricting the management port so it is not visible from the public internet) while you move to a fixed build as soon as possible. The latest builds and steps are on Ivanti's official security advisories.

What Ivanti Sentry does, and what the flaws cause

Ivanti Sentry, formerly "MobileIron Sentry," is part of the mobile device management (MDM) system companies use to control employees' phones and tablets in bulk. In one word, its job is to be a gatekeeper. When a staff phone reaches for corporate email (Exchange) or internal document systems, that traffic first passes through Sentry, which checks "is this a company-approved device?" before letting it through. That is exactly why taking it over means holding the very path into the company's email and internal systems.

The two new flaws are different in nature. Here is each one.

CVE-2026-10520: take over the server with no password (severity 10.0)

This is the main event. Send Sentry a specially crafted request from outside, and the attacker's commands run inside the device as-is. The technical class is OS command injection (CWE-78): an input field meant only for the device's internal processing is fed operating-system commands, which the device fails to distinguish and runs. Per NVD's rating, the attack needs no login (no authentication), no special privileges, and no user interaction, and it can run commands at the device's highest privilege (root) — hence the maximum score of 10.0. Stealing data, tampering with it, or knocking the device offline all become possible. This is a full "takeover" class flaw.

CVE-2026-10523: bypass login and create an admin at will (severity 9.9)

The second flaw slips past the authentication check that should be required, letting an attacker mint their own administrator account. The class is authentication bypass (CWE-288). Once an admin account exists, the attacker can impersonate a legitimate administrator and change settings out in the open. Severity is 9.9. If CVE-2026-10520 is "a back-door hole for running commands," this one is "a hole that lets you cut your own front-door key and walk in." Either alone is serious, but together they connect the break-in and the staying-in into a single, continuous path — which is what makes this pair so dangerous.

Who targets this gatekeeper, and what do they walk off with

You might think, "we don't run anything as fancy as employee phone management." But the organizations that run this device are large enterprises, government agencies, hospitals, and financial firms — the kind that hold a great deal of information worth protecting. To an attacker, Ivanti Sentry looks like the perfect target: the path to every employee's phone and corporate email funneled into a single box. That is the real meaning of the number 10.0.

The people coming for it are not an abstract "hacker." Concretely, they are initial-access brokers who steal only the way into a corporate network and quietly resell that foothold, ransomware crews who settle in, encrypt data, and demand payment, state-backed espionage groups who want to siphon secrets and executives' correspondence for months, and crews who hijack other people's servers to mine cryptocurrency for quick cash. What they want is the contents of corporate mail, employee credentials, exchanges with business partners, and that crucial first step "to push deeper into the network from here." The moment CVE-2026-10520 and CVE-2026-10523 are tripped in sequence, the device that was the gatekeeper becomes the attacker's puppet, and the door to the company's email and internal systems behind it swings open from the inside.

There is a reason these "edge" devices get targeted. They face the internet, so attackers can reach them directly, and they keep one foot inside the corporate network, so seizing one means winning a bridge between outside and inside. Once in, attackers begin internal reconnaissance, move laterally to other servers, and ultimately build toward a network-wide ransomware deployment or a large-scale data theft. In fact, when Ivanti Sentry was attacked back in 2023, internal recon tools and a cryptocurrency miner were dropped after the break-in, and the involvement of initial-access brokers was suspected. The two flaws here are an even more dangerous combination than that 2023 case.

And the ones left holding the stopped operations and the leaked data are the IT department that runs the device and that company's users. Executives' and staff mail walks out wholesale, the damage cascades to business partners, recovery and root-cause work drag on for weeks, and the explanations and apologies to regulators and customers keep coming. A severity of 10.0 is only the technical ceiling; what a company actually loses when this device becomes the entry point is this broad, and it leaves a long tail. With a fix already available, whether you apply it now is what decides whether you become the one who gets hit.

Why Ivanti's devices keep getting targeted

There is a backdrop to why this lands as "here we go again." Ivanti's "perimeter" devices — VPNs and mobile management — have been a top priority for attackers for several years, and Sentry is no exception. In 2023, an authentication-bypass-to-command-execution flaw (CVE-2023-38035) was used in real attacks and was added that August to the catalog of vulnerabilities under active attack (KEV) run by the U.S. agency CISA. After the break-ins, a cryptocurrency miner (Kinsing) and internal recon tools were reported to have been dropped.

Into 2026, Ivanti's mobile-management product EPMM saw unknown flaws already in use before a fix existed (CVE-2026-1281 / CVE-2026-1340) confirmed in January, with Palo Alto Networks' Unit 42 analyzing the active exploitation. In May, another EPMM flaw (CVE-2026-6973) was added to KEV. In short, Ivanti's perimeter devices keep following a pattern: each new flaw gets weaponized into real attacks within a short window. The new CVE-2026-10520 / 10523 are not yet in KEV at publication time, and no broad exploitation has been confirmed, but given that track record, "wait and see" is a dangerous choice. In past cases, the grace period between disclosure and real attacks was not long.

From disclosure to response

Here is the "same spot, broken again and again" pattern around Ivanti Sentry as a timeline, including the 2023 case. The two new flaws sit on that same line.

← Swipe to move

How to read the risk right now

Stated plainly: the two flaws are fresh, and no broad exploitation has been confirmed yet. At the same time, "no password, remote, highest privilege, and a target full of valuable data" means the payoff for an attacker is enormous. And Ivanti's perimeter devices have repeatedly walked the road from "flaw disclosed" to "real attacks" fast. Rather than scrambling once exploitation begins, applying the available fix now is the cheapest and surest move.

What to do now

If you run Ivanti Sentry, your to-do list centers on updating:

• Check your Sentry version and branch (R10.5 / R10.6 / R10.7); if it is earlier than R10.5.2 / R10.6.2 / R10.7.1, treat it as affected
• Update to the fixed build for your branch as soon as possible, following Ivanti's official security advisories
• If you cannot patch right away, restrict the management entry point (admin portal) so it is not directly visible from the internet — reachable only from your network or specific sites
• Check whether any unauthorized administrator accounts have been created, by reviewing the admin list and recent login and configuration-change records
• Inspect the device's logs and traffic for unfamiliar connections or setting changes and suspicious outbound activity; if you find signs of intrusion, consider not just patching but rebuilding and rotating credentials

Prioritize this if you run Sentry directly facing the internet. The attack works by sending a crafted request to a reachable entry point, so the longer it stays exposed, the higher the risk. If you were already breached, patching alone may not remove the foothold — so if anything looks off, don't stop at "patched and done"; pair it with a hunt for traces.

FAQ

In summary

CVE-2026-10520 is a severity-10.0 flaw that lets an attacker take over "Ivanti Sentry" — the gatekeeper linking staff phones to corporate email and internal systems — remotely and without a password. Add CVE-2026-10523 (9.9), which bypasses authentication to create administrators at will, and chaining the two connects break-in to staying-in in one line. Per NVD, both are resolved in fixed builds R10.5.2, R10.6.2, and R10.7.1.

This product was already attacked in 2023 via the same type of flaw, and Ivanti's perimeter devices have kept getting weaponized soon after disclosure. The two new flaws are fresh and broad exploitation isn't confirmed yet, but given the bad conditions and the track record, "wait and see" is risky. If you run Ivanti Sentry, update to the fixed build for your branch promptly, and check for unauthorized admin accounts and signs of intrusion along the way. For a device you've trusted with the door to your company's email and internal systems, this is too heavy a one to put off.

References

• ▸NVD - CVE-2026-10520 (Ivanti Sentry OS command injection, CVSS 10.0)
• ▸NVD - CVE-2026-10523 (Ivanti Sentry authentication bypass, CVSS 9.9)
• ▸Ivanti - Security advisories (official)
• ▸Darktrace - Exploitation analysis of Ivanti Sentry (CVE-2023-38035)
• ▸The Hacker News - Ivanti EPMM zero-days (CVE-2026-1281 / 1340)
• ▸Palo Alto Networks Unit 42 - Ivanti EPMM exploitation analysis
• ▸CWE-78: OS Command Injection ／ CWE-288: Authentication Bypass Using an Alternate Path