High

A critical command injection vulnerability in Ivanti Sentry, tracked as CVE-2026-10520 (CVSS high), is being actively exploited by threat actors shortly after proof-of-concept (PoC) exploit code became publicly available. The flaw allows remote, unauthenticated attackers to execute arbitrary commands with root-level privileges on vulnerable Ivanti Sentry appliances, potentially leading to full system compromise. Ivanti also addressed a second command injection vulnerability, CVE-2026-10523, in its June 9 security advisory. The vulnerabilities affect Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0, and earlier, while patched versions 10.5.2, 10.6.2, and 10.7.1 have been released to mitigate the risk.

According to telemetry from the Researcher, exploitation activity began rapidly following the public disclosure of the vulnerability. Internet-wide scanning identified at least 19 vulnerable Ivanti Sentry instances, with two systems confirmed to have been successfully compromised and backdoored. Security researchers believe the actual number of affected systems is likely higher because some vulnerable devices may be inaccessible to external scanning due to network restrictions or filtering mechanisms. The speed at which attackers weaponized the vulnerability highlights the significant risk posed by publicly available exploit code targeting internet-facing enterprise infrastructure.

Threat intelligence indicates that attackers are not only exploiting the vulnerability for remote code execution but are also deploying backdoors and malicious code to maintain persistent access on compromised systems. Researcher has begun distributing indicators of compromise (IOCs) through its Vulnerable HTTP and Compromised Website reporting feeds, tagging affected hosts with identifiers such as “cve-2026-10520” and “ivanti-sentry,injected-code,backdoor.” The presence of confirmed backdoors suggests that attackers are actively establishing persistence mechanisms, increasing the likelihood of long-term unauthorized access and follow-on attacks within affected environments.

The incident demonstrates the ongoing trend of threat actors rapidly targeting critical edge-device vulnerabilities immediately after technical details become public. Because Ivanti Sentry is widely deployed for secure mobile device and email management in enterprise environments, successful exploitation can provide attackers with a valuable entry point into corporate networks. Organizations are strongly advised to upgrade to the latest patched versions without delay and perform comprehensive compromise assessments, including reviewing logs, identifying unauthorized access, detecting suspicious processes, verifying system integrity, and rotating potentially exposed credentials. Given the confirmed compromises observed in the wild, patching alone may not be sufficient, and affected organizations should conduct thorough incident response activities to ensure no persistence mechanisms remain on their systems.