A vulnerability does not get much worse than this one. On June 11, 2026, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-10520, an OS command-injection flaw in Ivanti Sentry, to its Known Exploited Vulnerabilities (KEV) catalog. The National Vulnerability Database scores it a perfect CVSS 3.1 base of 10.0, the ceiling of the scale, and tags it Critical. The vector string — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — spells out why: the attack is reachable over the network, takes low complexity, requires no privileges and no user interaction, and breaks out of the vulnerable component to compromise confidentiality, integrity, and availability in full.
Ivanti Sentry, formerly MobileIron Sentry, is a gateway that brokers access between mobile devices and back-end resources such as email and corporate data. It sits at the edge, which is precisely what makes a flaw like this so dangerous. CISA's catalog entry states that the bug “could allow a remote unauthenticated user to achieve root-level remote code execution.” Root, not a constrained service account; unauthenticated, not a logged-in user who slipped past a permission check. An attacker who can reach the appliance can, in effect, own it.
The conditions that make it exploitable
The single most important nuance in the KEV record is the exploitation condition. CISA notes the vulnerability “can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable.” In other words, the worst-case exposure is an appliance that is both internet-facing and not locked behind Ivanti's own access controls. The agency is explicit about the mitigating architecture: “The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.”
That detail matters for triage. If your Sentry deployment fronts its administrative or sync interfaces with mutual TLS tied to Endpoint Manager Mobile (EPMM), or restricts HTTPS through Neurons for MDM, the external attack surface is sharply reduced. If, on the other hand, the appliance is standing in an unmanaged posture with endpoints open to the internet, treat it as a live target. The practical takeaway for defenders is to inventory every Sentry instance and answer one question first: can an unauthenticated party on the internet reach the vulnerable interface? If the answer is yes or unknown, that box moves to the front of the queue.
The flaw is classified as CWE-78, “Improper Neutralization of Special Elements used in an OS Command.” Command injection of this kind typically arises when user-supplied input is passed into a shell or system call without adequate sanitization, letting an attacker append or substitute their own commands. Because Sentry runs the vulnerable code path with root privileges, a successful injection inherits that authority. The result is full appliance takeover from a single crafted request.
Ivanti products have featured repeatedly in the KEV catalog over the past two years, and the pattern is instructive rather than incidental. Edge security appliances are attractive because they are designed to be reachable, they hold privileged positions in the network, and they are operated by a relatively small number of teams who cannot always patch on the timeline an unauthenticated RCE demands. Threat actors, including state-aligned groups, have made a specialty of these devices precisely because a single working exploit scales across many organizations running the same firmware. CVE-2026-10520 fits that profile cleanly: one vulnerability class (command injection), one privileged target (a root-running gateway), and one low-friction precondition (internet reachability).
What the advisory says and what to do
Ivanti's own security advisory, published at the company's support hub, covers CVE-2026-10520 alongside a companion issue, CVE-2026-10523, and identifies the fixed builds as R10.5.2, R10.6.2, and R10.7.1. CISA's required action directs agencies to apply vendor mitigations in line with its newer risk-based directive, BOD 26-04, “Prioritizing Security Updates Based on Risk,” and to follow the agency's Forensics Triage Requirements. For an actively exploited, maximum-severity edge bug, that prioritization language is not bureaucratic boilerplate — it is a signal that this should be patched on the most aggressive timeline an organization can sustain.
The remediation due date CISA set for federal civilian agencies was June 14, 2026, just three days after the catalog addition. That compressed window reflects the severity and the active-exploitation status. Private-sector defenders are not bound by the federal deadline, but the KEV catalog is widely treated as a de facto prioritization list precisely because every entry on it has confirmed real-world exploitation. A CVSS 10.0 that is already being used in attacks is not a hypothetical risk to be scheduled for the next maintenance window.
Independent security researchers have also published exploitation analysis tied to the CVE pair, which historically accelerates copycat activity once a working technique circulates. The combination of a trivial-to-reach network vector, no authentication requirement, root-level impact, and public technical detail is the classic recipe for opportunistic mass scanning. Organizations running Sentry should assume that internet-exposed, unmanaged appliances are being probed and act accordingly.
Beyond patching, the defensive checklist is straightforward. First, upgrade to the fixed R10.5.2, R10.6.2, or R10.7.1 builds without delay. Second, verify that Sentry's external interfaces are not directly reachable from the internet, enforcing mTLS with EPMM or restricting access through Neurons for MDM as the advisory describes. Third, because the worst case is root-level code execution, treat any vulnerable, exposed appliance as potentially already compromised: review logs, check for unexpected processes or accounts, and consider it a candidate for forensic triage rather than a simple patch-and-move-on. An appliance that was internet-facing and unpatched during the active-exploitation window has, at minimum, earned a closer look.
The broader pattern here is familiar. Edge security appliances — VPN concentrators, mobile gateways, management consoles — concentrate trust at the network boundary, which makes a single unauthenticated RCE catastrophic. CVE-2026-10520 is a textbook instance: maximum severity, no authentication, root impact, and confirmed exploitation. For defenders, the lesson is the same one the KEV catalog keeps teaching. When a perfect-score bug in an internet-facing appliance lands on the list, the clock is already running.