Urgent announcement for everyone involved in IT and web development: An unauthenticated OS command injection vulnerability (CVE-2026-10520) has been discovered in Ivanti Sentry, widely used as a mobile device management (MDM) and VPN gateway. This vulnerability is rated with a CVSS score of 10.0 (Critical), and the U.S. CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, directing federal agencies to take immediate action. Attackers can exploit this vulnerability to execute arbitrary code with root privileges on the target system. If Ivanti Sentry is deployed in your environment, you must immediately review the details and implement the recommended countermeasures.
Vulnerability Overview and Scope of Impact
CVE-2026-10520, disclosed today, is an OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry). This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system by sending specially crafted requests. This type of vulnerability often serves as a primary attack vector for malicious cyber actors, posing significant risks to federal government agencies.
Affected Ivanti Sentry appliances are those running versions prior to R10.5.2, R10.6.2, and R10.7.1. Specifically, Ivanti Sentry management portals exposed to the internet are primary targets, and many systems may have already been backdoored.
Specific Impacts and Attack Scenarios
If this vulnerability is exploited, attackers can achieve the following:
1. **Complete System Control:** Gain root privileges without authentication, allowing full control over the Ivanti Sentry appliance.
2. **Data Theft and Network Intrusion:** Establish a foothold into internal networks accessible by the appliance, potentially leading to the theft of confidential information and further intrusion into internal systems.
3. **Denial of Service:** Disrupt MDM and VPN services by disabling appliance functions or altering configurations.
Proof-of-Concept (PoC) exploit code for this vulnerability emerged within days of the patch release, and active exploitation has been observed. Additionally, an unauthenticated SSRF vulnerability (CVE-2026-46697) in WordPress's Fediverse Embeds plugin was also disclosed on the same day, raising concerns about its widespread impact on web services.
Actions Engineers Should Take Immediately
The most critical action is to promptly update your Ivanti Sentry appliances to the latest version provided by the vendor. Until patches are applied, or even after, consider the following temporary mitigation measures as part of a defense-in-depth strategy:
1. **Apply Vendor Patches:** Immediately apply the recommended patches for Ivanti Sentry (R10.5.2, R10.6.2, R10.7.1 or later).
2. **Strengthen Access Restrictions:** Strictly limit network access to the Ivanti Sentry administrative interface and related services. Configure firewalls and ACLs to allow access only from trusted IP address ranges.
nginx
# Ivanti Sentry管理画面へのアクセスを特定のIPアドレスに制限するNginxリバースプロキシ設定例
server {
listen 443 ssl;
server_name ivanti-sentry.yourdomain.com;
ssl_certificate /etc/nginx/ssl/yourdomain.crt;
ssl_certificate_key /etc/nginx/ssl/yourdomain.key;
# 信頼できるIPアドレスからのアクセスのみを許可
allow 203.0.113.0/24; # 例: オフィスネットワークのIPレンジ
allow 192.0.2.10; # 例: 特定の管理者IPアドレス
deny all;
location / {
proxy_pass https://<Ivanti_Sentry_Internal_IP_or_Hostname>:8443; # Ivanti Sentryの内部IP/ホスト名とポート
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 必要に応じてその他のヘッダーを追加
# Ivanti SentryへのWebSocket接続をサポートする場合
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}3. **Monitor for Anomalous Traffic:** Continuously monitor network traffic and system logs for any signs of suspicious access or command execution.
4. **Review Security Configurations:** Re-examine security configurations not only for Ivanti Sentry but also for related mobile management systems, VPNs, and other gateway devices, ensuring strict access control based on the principle of least privilege.
📦