LR pixel

What is the Vulnerability?

FortiGuard Labs continues to observe exploitation attempts targeting CVE-2026-10520 following the public release of technical details and proof-of-concept (PoC) exploit code.

CVE-2026-10520 is a critical vulnerability affecting Ivanti Sentry that allows remote, unauthenticated attackers to execute arbitrary operating system commands with root privileges. The flaw stems from improper handling of internal configuration commands exposed through an externally accessible API, enabling complete device compromise without valid credentials.

Shortly after disclosure, watchTowr published a detailed technical analysis and public PoC, significantly lowering the barrier to exploitation and increasing the likelihood of opportunistic attacks.

Ivanti Sentry is an enterprise mobile gateway that provides secure access to corporate email, applications, and content for managed mobile devices. Organizations with internet-exposed Ivanti Sentry appliances should prioritize patching immediately, as attackers are actively attempting to exploit vulnerable systems.

What is the recommended Mitigation?

Affected:

Ivanti Sentry 10.5.1 and earlier

Ivanti Sentry 10.6.1 and earlier

Ivanti Sentry 10.7.0 and earlier

Fixed:

10.5.2

10.6.2

10.7.1

Recommended Actions

• Immediately upgrade to Ivanti Sentry 10.5.2, 10.6.2, or 10.7.1.

• Assume internet-exposed, unpatched appliances may already be compromised.

• Review administrative accounts for unauthorized additions.

• Search for web shells, persistence mechanisms, and suspicious root-level processes.

• Rotate credentials and invalidate tokens if compromise is suspected.

• Monitor for exploitation attempts and anomalous outbound connections.

• Enable IPS protections and virtual patching while emergency updates are being deployed.

What FortiGuard Coverage is available?

• FortiGuard IPS provides protection against exploit attempts targeting vulnerable Ivanti Sentry appliances.

• FortiGuard Web Filtering blocks access to known malicious infrastructure used to host payloads or support post-exploitation command-and-control activity.

• FortiGuard AntiVirus detects and blocks malware payloads, web shells, and other malicious files delivered following successful exploitation.

• FortiEDR detects suspicious post-exploitation behavior, including unauthorized command execution, persistence mechanisms, privilege abuse, and lateral movement originating from compromised systems.

• FortiGuard Incident Response Service assists organizations in investigating potential compromise, determining the scope of attacker activity, and supporting containment, remediation, and recovery efforts following exploitation.