Ivanti Releases Security Advisory for Critical Vulnerabilities in Sentry
If exploited, two critical vulnerabilities could allow for unauthenticated OS command injection or authentication bypass
Summary
If exploited, two critical vulnerabilities could allow for unauthenticated OS command injection or authentication bypass
Affected platforms
The following platforms are known to be affected:
Threat details
Proof-of-concept exploit for CVE-2026-10520
Security researchers have released a proof-of-concept technical writeup for vulnerability CVE-2026-10520.
The NHS England National CSOC assesses exploitation as highly likely.
Introduction
Ivanti has released a security advisory to address two critical vulnerabilities in Ivanti Sentry. Successful exploitation could allow unauthenticated attackers to gain full administrative control or execute commands with root privileges on affected systems.
- CVE-2026-10520 - Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection') vulnerability - CVSSv3 Score: 10.0
- CVE-2026-10523 - Authentication Bypass Using an Alternate Path or Channel vulnerability - CVSSv3 Score: 9.9
Remediation advice
Affected organisations are encouraged to review Ivanti Security Advisory Ivanti Sentry (CVE-2026-10520, CVE-2026-10523) and apply the relevant updates as soon as possible.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 10 June 2026 10:05 am