Ivanti Sentry Security Bulletin: CVE-2026-10520 (RCE) and CVE-2026-10523 (Auth Bypass)

Vulnerability Overview Ivanti Sentry has released updates for two critical vulnerabilities: CVE-2026-10520 and CVE-2026-10523. CVE-2026-10520: Command Injection vulnerability allowing remote unauthenticated users to achieve arbitrary code execution. CVE-2026-10523: Authentication Bypass vulnerability allowing unauthenticated users to gain administrative privileges. Affected Versions CVE-2026-10520: Impacts versions R10.5.2, R10.6.2, and R10.7.1. CVE-2026-10523: Impacts versions R10.5.2, R10.6.2, and R10.7.1. Remediation CVE-2026-10520: Update to R10.5.2, R10.6.2, or R10.7.1. CVE-2026-10523: Update to R10.5.2, R10.6.2, or R10.7.1. Download Links R10.5.2: - New Installation: https://support.mobileiron.com/mi/sentry/10.5.2-3/sentry-mobileiron-10.5.2-3.iso - Update Existing Installation: https://support.mobileiron.com/mi/sentry/10.5.2-3/ R10.6.2: - New Installation: https://support.mobileiron.com/mi/sentry/10.6.2-4/sentry-mobileiron-10.6.2-4.iso - Update Existing Installation: https://support.mobileiron.com/mi/sentry/10.6.2-4/ R10.7.1: - New Installation: https://support.mobileiron.com/mi/sentry/10.7.1-3/sentry-mobileiron-10.7.1-3.iso - Update Existing Installation: https://support.mobileiron.com/mi/sentry/10.7.1-3/ Additional Information CVSS Score: - CVE-2026-10520: 10 (Critical) - CVE-2026-10523: 9.8 (Critical) CVSS Vector: - CVE-2026-10520: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - CVE-2026-10523: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE Identifier: - CVE-2026-10520: CWE-78 - CVE-2026-10523: CWE-287 Acknowledgments Ivanti thanks the following individual for reporting the issue and helping protect our customers: Bryan Lam (CVE-2026-10523) FAQ Is there active exploitation? - No instances of exploitation have been detected among customers to date. How can we determine if we have been exploited? - While no public exploits exist, certain indicators of compromise (IOCs) are available. Risk to customers? - Although the CVSS scores are high, the actual risk varies based on specific deployments and configurations. Why was it added to CISA KEV? - It was added due to reports of attempted exploitation targeting honeypots. Need assistance? - You may submit a case or request a callback via the Ivanti Innovators Hub. Article Number 000107123 Article Promotion Level Normal Footer Terms and Conditions Privacy Policy Copyright © 2019-2026 Ivanti. All rights reserved.

Goal Reached Thanks to every supporter — we hit 100%!

Ivanti Sentry Security Bulletin: CVE-2026-10520 (RCE) and CVE-2026-10523 (Auth Bypass)