THE content discusses the critical vulnerabilities CVE-2026-10520 and CVE-2026-10523 affecting Ivanti Sentry. CVE-2026-10520 is an OS command injection vulnerability (CVSS score 10.0) allowing remote code execution, while CVE-2026-10523 is an authentication bypass vulnerability (CVSS score 9.9) that lets unauthenticated attackers create administrative accounts. Ivanti has released a security advisory, but no exploitation has been reported so far.
Organizations using affected versions (10.7.0 and below) are urged to apply the vendor-supplied updates (10.7.1 and above) immediately due to the critical severity and availability of proof-of-concept exploits. Rapid7 customers can use vulnerability checks from June 11 to assess their exposure.