Emerging Threats

Ivanti Patches Zero-Day Flaw Allowing Root Code Execution

Analyst 207||Source: BleepingComputer
Secure mobile gateway appliance on a plain surface with a clean, minimalist background.

"We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure," Ivanti said. "Currently, there is no known public exploitation of this vulnerability that could be used to provide a list of indicators of compromise."

CVE-2026-10520 — OS command injection permitting root execution

Ivanti disclosed a maximum-severity vulnerability in its Sentry secure mobile gateway tracked as CVE-2026-10520. The flaw is an OS command injection weakness that, according to the company, could allow a remote attacker to execute code with root privileges on the appliance. Sentry — formerly MobileIron Sentry — is a gateway appliance designed to secure traffic between back-end corporate systems and remote mobile devices, and a vulnerability that defeats command handling at the operating-system level raises the risk of full system compromise.

CVE-2026-10523 — remote authentication bypass and rogue administrative accounts

The company simultaneously patched a second critical issue, CVE-2026-10523, described as an authentication bypass. Ivanti said this flaw can be exploited remotely by unauthenticated attackers to create rogue administrative accounts and gain full administrative access. Where CVE-2026-10520 would let an attacker run code as root, CVE-2026-10523 would let an attacker establish persistent, high-privilege access through fabricated administrative credentials.

Ivanti patches released: R10.5.2, R10.6.2, R10.7.1

Ivanti issued fixes for both vulnerabilities on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1. The company advised administrators to upgrade their systems to protect against potential attacks and stated it has no evidence that the two vulnerabilities are being exploited in the wild. Ivanti's public language emphasized there is "no known public exploitation" that would enable the company to publish indicators of compromise.

CISA action, recent Ivanti zero-days, and the pattern of targeting

The announcement sits against a backdrop of repeated exploitation of Ivanti defects in recent years. Ivanti vulnerabilities have "often been targeted in attacks" because they can provide an easy route into enterprise networks to steal corporate and customer data, the company said. In May, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. federal agencies to patch Ivanti devices after the vendor warned of a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) that had been exploited in zero-day attacks. Ivanti also addressed two other critical EPMM vulnerabilities in January after those issues were exploited as zero-days against a "very limited number of customers."

The record of active exploitation extends beyond a single vendor: the source material notes that CISA has identified 34 vulnerabilities across various SolarWinds products as actively exploited over the past several years, with 12 of those also used in ransomware attacks — a reminder, in Ivanti's phrasing, that widely used enterprise management tooling can be a repeat target for attackers.

What this means for U.S. federal agencies, enterprise administrators, and cybercriminals

  • U.S. federal agencies: CISA's recent patching order for Ivanti devices in May signals that agencies will be watching this Sentry disclosure closely and are likely to treat the new Sentry fixes as operational priorities to reduce the risk of lateral network compromise.
  • Enterprise administrators: Ivanti has advised upgrades to Sentry R10.5.2, R10.6.2, or R10.7.1; administrators running affected versions should apply those patches to mitigate the twin risks of root code execution and rogue administrative account creation.
  • Cybercriminals and threat actors: Ivanti itself acknowledged that its vulnerabilities have been attractive to attackers because they can provide straightforward access into enterprise networks — the combination of a maximum-severity command injection and an authentication bypass is the sort of double opportunity adversaries seek.

The dual nature of these fixes — a highest-severity command injection and a remote authentication bypass — makes this a consequential patch cycle for any organization that routes mobile-device traffic through Ivanti Sentry. Ivanti's statement that it has found no evidence of exploitation offers some immediate reassurance, but the company and CISA's recent history of zero-day response underscores that prompt patching remains the practical defense. Administrators of Sentry appliances should upgrade to the patched R10.x builds and monitor vendor communications for any follow-up indicators of compromise.

Original reporting: BleepingComputer — New max-severity Ivanti Sentry flaw allows code execution as root

Emerging ThreatsIvantiMobile SecuritySupply ChainZero-DayCVE-2026-10520OS Command InjectionRoot Code Execution
Related Intelligence

Continue Reading

Modern office workstation with laptop and computer setup amidst blurred server room equipment.

ServiceNow Warns of Flaw Exploited for Unauthorized Access

ServiceNow has issued a security update to fix a flaw that could allow unauthorized users to gain excessive access to customer instances, and the company is urging users to take action to protect their systems. The update was applied to hosted customer instances on June 5, 2026.

Analyst 207
Windows laptop on a plain surface with a blank system interface on screen, nearby USB drive and scattered notes.

Microsoft Defender Zero-Day Exploited for SYSTEM Access

A security researcher, known as Chaotic Eclipse, has discovered a Microsoft Defender zero-day exploit, dubbed RoguePlanet, that can give attackers unrestricted access to compromised machines. The proof-of-concept exploit, released under the handle MSNightmare, can yield a shell with SYSTEM-level privileges, allowing hackers to run arbitrary code and perform unauthorized actions.

Analyst 207
Laptop screen on a neutral surface displaying Windows desktop in a well-lit room.

Microsoft Defender Zero-Day Exploited for SYSTEM Privileges

A newly discovered Microsoft Defender zero-day exploit, dubbed RoguePlanet, can spawn a Windows command prompt with SYSTEM privileges, posing a significant threat to fully patched Windows 10 and 11 devices. This cleverly crafted exploit uses a hit-or-miss race condition to gain elevated access, with some machines surprisingly vulnerable to a 100% success rate.

Analyst 207
Technicians check network equipment and cables in a brightly-lit operations room with a prominent router on a rack.

Cisco SD-WANs Hit by Seventh Zero-Day Exploit This Year

Cisco SD-WANs have been hit by a seventh zero-day exploit this year, with the latest vulnerability, CVE-2026-20245, already being actively exploited by attackers. A security patch is currently in the works, but no workaround is available to mitigate the issue in the meantime.

Analyst 207