## Overview
CISA added CVE-2026-10520 to its KEV catalog on June 11, 2026. This critical vulnerability allows unauthenticated remote code execution via command injection in Ivanti Sentry OS. The KEV listing implies federal agencies must patch by June 18. CISA added it due to confirmed exploitation in the wild, particularly against unmanaged Sentry appliances with externally reachable endpoints.
## Technical Details
The flaw exists in Ivanti Sentry OS versions prior to R10.5.2, R10.6.2, and R10.7.1. A remote attacker sends malicious input to the web interface, injecting OS commands. The vulnerability triggers without authentication. Exploitation requires the Sentry appliance to be in an unmanaged state with endpoints exposed to the internet. mTLS with EPMM or Neurons-restricted HTTPS access blocks external access.
## Impact
CVSS score 10.0 indicates complete system compromise. Attackers achieve root-level remote code execution. Compromised Sentry appliances become attack vectors for lateral movement, data exfiltration, or further infrastructure takeover. The vulnerability affects all unpatched Sentry deployments exposed to the internet.
## Mitigation
Apply Ivanti's patches immediately: upgrade to Sentry OS R10.5.2, R10.6.2, or R10.7.1. Isolate unmanaged Sentry appliances from public internet access. Restrict HTTPS access via Neurons for MDM or enforce mTLS with EPMM. Monitor for exploitation attempts targeting the vulnerable web interface. Do not delay patching—CISA's KEV status demands immediate action.
CSURFACE Threat Sensor