MULTIPLE critical vulnerabilities have been disclosed in Ivanti Sentry and Fortinet products, allowing unauthenticated attackers to achieve remote code execution or create privileged accounts. Administrators are urged to apply the latest patches referenced in the Ivanti security advisory and the Fortinet PSIRT advisory to mitigate the risk.
CVE-2026-10520 is an OS command injection flaw in Ivanti Sentry with a CVSS score of 10.0 that lets remote, unauthenticated users run arbitrary commands with root privileges on affected versions prior to R10.5.2, R10.6.2 and R10.7.1. CVE-2026-10523 is an authentication bypass vulnerability rated CVSS 9.9 that enables attackers to create administrative accounts without credentials on Ivanti Sentry releases 10.7.0 and earlier. Details on both issues are available in the Socradar analysis and the Rapid7 technical post.
Fortinet fixed CVE-2026-25089, a command injection vulnerability in FortiSandbox scoring CVSS 9.1 that can be triggered by unauthenticated attackers sending specially crafted HTTP requests. The flaw impacts FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8, with upgrades to 5.0.6 or 4.4.9 required to remediate the issue. Further information is provided in the SecurityOnline article and the Fortinet PSIRT notice.
As of the disclosure date there have been no confirmed reports of these vulnerabilities being exploited in the wild, and no threat actor has been linked to the flaws. However, public proof-of-concept exploits for CVE-2026-10520 and CVE-2026-10523 are circulating, which raises the likelihood of future attacks if systems remain unpatched. Both Ivanti and Fortinet have stated that their patches address the issues without requiring workarounds.
Security teams should prioritize updating Ivanti Sentry to version 10.7.1 or newer and FortiSandbox to the patched releases noted in the advisories. While updates are being applied, access to the management interfaces should be restricted to trusted networks and multi-factor authentication enforced for administrative accounts. Administrators are also advised to review logs for unusual command execution or account creation events and to run vulnerability checks, such as those released by Rapid7 on June 11, to verify exposure.
Regular configuration audits can help ensure that no unauthorized admin accounts have been added and that only necessary services are exposed. Maintaining an inventory of assets and subscribing to vendor security notifications will aid in responding quickly to future disclosures.