Ivanti Sentry: Critical Vulnerabilities Demand Urgent Patching
Ivanti has disclosed two critical vulnerabilities, including a maximum-severity flaw (CVE-2026-10520), in its Sentry product, affecting versions 10.0 and 9.9. The bugs allow unauthenticated remote code execution with root privileges. While not yet exploited in the wild, experts warn that public disclosures increase risk, urging immediate patching of the unified endpoint management component.
Key points
- Ivanti disclosed two critical vulnerabilities in its Sentry product, impacting versions 10.0 and 9.9.
- The most severe flaw, CVE-2026-10520, allows remote, unauthenticated attackers to execute code with root privileges.
- Ivanti states the vulnerability has not been exploited in the wild, but public disclosure heightens risk.
- The flaw reportedly stems from an exposed API that could be manipulated with specially crafted messages.
- Ivanti has released patches and is urging customers to update their systems immediately.
Security firm Ivanti has alerted customers to two critical vulnerabilities affecting its Sentry product, a component of its unified endpoint management platform. The vulnerabilities, impacting versions 10.0 and 9.9, pose a significant risk to user security.
The most pressing concern is CVE-2026-10520, a maximum-severity flaw. This vulnerability allows an attacker to remotely execute code with root privileges on unpatched systems without requiring any authentication. Such a flaw is considered highly dangerous by security experts, as it grants deep access to affected devices.
While Ivanti has indicated that there is no evidence of this vulnerability being exploited in the wild yet, the public disclosure of such a critical bug typically accelerates malicious activity. Security researchers have provided details suggesting the flaw originates from an exposed API, which could be exploited by sending crafted messages. Ivanti has released patches to address these issues and is strongly advising all customers to apply them promptly to mitigate potential attacks.
Sources
The WireByte editorial team synthesises technology news from multiple primary sources, verifies the facts, and links every source. Articles are produced with AI assistance and reviewed under our editorial policy.