Ivanti Sentry CVE-2026-10520 Exploited in the Wild; Shadowserver Says Most Exposed Gateways Already Backdoored

Attackers are actively exploiting CVE-2026-10520, a maximum-severity flaw in Ivanti Sentry that allows code execution with root privileges on internet-exposed secure mobile gateways. Public proof-of-concept code is circulating, and exploitation is already widespread.

Ivanti Sentry — formerly MobileIron Sentry — is a security gateway appliance that brokers traffic between back-end corporate systems and remote mobile devices. Because it sits at the network edge and fronts internal systems, a root-level compromise hands attackers a direct foothold into the enterprise.

The flaw

CVE-2026-10520 is an OS command injection weakness carrying a maximum CVSS score. Ivanti patched it on Tuesday in Sentry versions R10.5.2, R10.6.2, and R10.7.1. At release, the company stated it had no evidence of in-the-wild exploitation.

That position did not hold for long. The day after the patch, Shadowserver reported that attackers had already backdoored most of the Sentry gateways exposed online. The organisation observed a large volume of exploitation attempts based on the public PoC, identifying 19 vulnerable instances in its own scans with at least two confirmed backdoored — and assessed the rest as likely compromised. Shadowserver also cautioned that its visibility is limited because many Sentry instances are unreachable in its scans, suggesting the true exposed population is larger than detection indicates.

Its guidance was blunt: if you have not patched, you are most likely already compromised.

Vendor advisory lag

At the time of reporting, Ivanti had not updated its Tuesday advisory, which still states the company is not aware of any customers being exploited. The gap between the vendor's stated position and independent telemetry is itself operationally relevant — defenders should weight Shadowserver's active-exploitation data over the static advisory when prioritising response.

A repeat target

Ivanti edge appliances are a persistent target because they provide an entry point into enterprise networks and the sensitive data behind them. Multiple Ivanti zero-days have been exploited in recent years to breach organisations including government agencies worldwide. CISA has flagged 34 vulnerabilities across Ivanti products as actively exploited, 12 of which have also featured in ransomware operations. CVE-2026-10520 fits squarely into that pattern — and the speed from patch to mass exploitation here is the tightest yet.

Action Items

• Patch immediately to Sentry R10.5.2, R10.6.2, or R10.7.1.
• If your Sentry instance has been internet-exposed and unpatched, treat it as compromised — patching alone does not evict an established backdoor.
• Conduct compromise assessment: inspect for unauthorised files, modified binaries, new accounts, and outbound connections from the appliance.
• Remove Sentry admin portals from direct internet exposure where possible; restrict to VPN or trusted networks.
• Rotate credentials and secrets accessible from the gateway, given its position brokering back-end traffic.