- Ivanti Sentry now has a critical pre‑authentication remote code execution bug.
The vulnerability, tracked as CVE‑2026‑10520, receives a CVSS score of 10.0, the maximum severity. Researchers published a proof‑of‑concept that shows an attacker can execute arbitrary commands on affected systems without any credentials. The flaw has been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, meaning federal agencies must patch it promptly.
This matters because Ivanti Sentry is widely deployed for endpoint management in enterprises and public sector environments. A pre‑auth RCE bypasses typical access controls, potentially giving a threat actor full control over managed devices. The KEV designation signals an active exploit in the wild, raising the urgency for admins to apply mitigations or updates.
Until patches are applied, organizations should isolate Sentry servers, limit network exposure, and monitor for the published exploit patterns.