What Happened
On June 10, 2026, Ivanti released emergency security patches for two critical vulnerabilities in Ivanti Sentry, the company’s secure mobile gateway product used by enterprises to proxy and manage mobile device traffic to back-end systems.
The first flaw, CVE-2026-10520, carries a CVSS score of 10.0 — the highest possible severity rating. It is an OS command injection vulnerability in versions prior to 10.5.2, 10.6.2, and 10.7.1. An unauthenticated remote attacker can send a specially crafted request to the exposed Sentry management port and achieve root-level remote code execution. No credentials, no authentication, no prior access required.
The second flaw, CVE-2026-10523, scores CVSS 9.9. It is an authentication bypass that allows unauthenticated attackers to create administrator accounts on a vulnerable Sentry device. Combined with CVE-2026-10520, an attacker has two independent paths to complete takeover of the gateway.
Security firm watchTowr published a full technical analysis of CVE-2026-10520 the same day Ivanti released patches, including a working proof-of-concept (PoC) exploit. The PoC is now publicly available. Ivanti states neither vulnerability is known to be actively exploited at time of disclosure, but given the trivial exploitation path and the availability of a public PoC, exploitation in the wild is a near-certainty within hours or days of this writing.
Fixed versions are Sentry 10.5.2, 10.6.2, and 10.7.1. Organizations unable to patch immediately should restrict access to the Sentry management interface and ensure it is not exposed to the internet.
Why This Matters for Canadian Organizations
Ivanti Sentry is widely deployed by Canadian enterprises, government departments, healthcare networks, and financial institutions as a mobile gateway and policy enforcement point for Microsoft Exchange, SharePoint, and other enterprise services accessed from mobile devices. Canadian organizations running Ivanti’s mobile management stack — often alongside Ivanti EPMM for full MDM capability — should treat CVE-2026-10520 as requiring immediate emergency action.
This is Ivanti’s second critical unauthenticated RCE to hit Canadian organizations in 2026. In May, CVE-2026-6973 in Ivanti EPMM was actively exploited against government and enterprise MDM servers, including 182 North American instances identified as exposed. The pattern is consistent: Ivanti products are targeted early and often, and Canadian deployments are consistently in the exposure window.
Organizations regulated under OSFI Guideline B-13 should treat a CVSS 10.0 pre-auth RCE with a public PoC as a critical incident response trigger, requiring emergency patching timelines, incident logging, and notification assessments under PIPEDA if any personal information traversed the affected gateway. Security teams should review Sentry access logs for anomalous API calls to management endpoints from June 2 onward as a precautionary measure, given the timeline between discovery and public disclosure.
What to Do
Patch immediately. Update Ivanti Sentry to version 10.5.2, 10.6.2, or 10.7.1 depending on your current release track. If immediate patching is not possible, isolate the Sentry management interface from internet-accessible networks and restrict access to authorized IP ranges only. Confirm the device is running a supported version — Ivanti’s advisory states the fix is available for version lines 10.5.x, 10.6.x, and 10.7.x; older unsupported versions will not receive patches. Review Sentry access logs for unauthorized API calls to the management port, particularly from external IP addresses. If any sign of compromise is found, treat the device as fully compromised and rotate all credentials associated with back-end systems Sentry proxied access to, including Exchange and SharePoint service accounts. For additional context, refer to watchTowr’s technical analysis published June 10, 2026, at Rapid7’s blog.
Source: Help Net Security | Rapid7
