CISA has added CVE‑2026‑10520 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Ivanti Sentry (formerly MobileIron Sentry) and is identified as the Ivanti Sentry OS Command Injection Vulnerability, which permits a remote unauthenticated attacker to obtain root‑level code execution on the appliance.
The vulnerability is an OS command injection that can be exploited when the Sentry appliance is in an unmanaged state and its endpoints are reachable from the internet. Successful exploitation grants the attacker full control of the device with root privileges. The Common Vulnerability Scoring System assigns a score of 10.0, rating the issue as CRITICAL.
According to the supplementary data, a patch is not currently available; mitigation relies on configuring the appliance so that its management interfaces are not exposed, for example by using mTLS with EPMM or restricting HTTPS access through Neurons for MDM.
Active exploitation has been confirmed, which is the basis for the KEV designation. No ransomware campaign using this CVE has been reported. CISA has set a remediation deadline of 2026‑06‑14 for federal civilian executive branch (FCEB) agencies to address the issue.
CISA’s required action is: “Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.” While the directive binds FCEB agencies, all organisations should review their exposure to Ivanti Sentry and apply the recommended mitigations where possible.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-10520 and the CISA KEV catalogue.