Overview
- Ivanti released Sentry updates on Wednesday, June 10, that fix two critical flaws in versions before R10.5.2, R10.6.2, and R10.7.1 and urged customers to install the patches immediately.
- The most severe bug, CVE-2026-10520, is an unauthenticated OS command injection that allows remote attackers to run arbitrary commands as root, and the related CVE-2026-10523 lets unauthenticated actors create admin accounts.
- A technical analysis and public proof-of-concept from watchTowr Labs made exploitation trivial by sending crafted POST requests to the /mics/api/v2/sentry/mics-config/handleMessage endpoint that invoke system commands.
- Security groups reported active exploitation and backdoored internet-exposed Sentry gateways within a day of the patch, and the Cybersecurity and Infrastructure Security Agency added CVE-2026-10520 to its KEV catalog with a three-day remediation deadline.
- Defenders are advised to patch now, block external access to port 8443 and /mics/api paths, enable mutual TLS where possible, and audit Sentry, EPMM, and Exchange logs for POSTs to the vulnerable endpoint, new admin accounts, or signs of lateral movement.