The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in Ivanti Sentry, which, though patched, is being exploited on honeypot systems. Ivanti, the company behind the software, has clarified that these activities have been detected only in controlled environments designed to attract and study hacking attempts.
Understanding the Ivanti Sentry Vulnerability
Recognized as CVE-2026-10520 and rated with a perfect CVSS score of 10/10, this security flaw is an operating system command injection vulnerability. It can be remotely exploited without any authentication, potentially allowing attackers to execute arbitrary code with root-level access.
Ivanti released patches for this issue on June 10, reporting no known instances of exploitation in real-world scenarios. The updates are available for Ivanti Sentry versions 10.5.2, 10.6.2, and 10.7.1.
CISA’s Response and Recommendations
On Thursday, CISA included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. The agency has instructed federal entities to address the issue within three days, consistent with its Binding Operational Directive (BOD) 26-04, which emphasizes prioritizing patches based on assessed risk.
The agency warns that this flaw can be exploited if the Sentry appliance is poorly configured, particularly when endpoints are accessible externally. They recommend using mutual TLS (mTLS) with EPMM or limiting HTTPS access through Neurons for MDM to secure interfaces from external threats.
Ivanti’s Advisory and Mitigation Strategies
Ivanti has updated its advisory following the vulnerability’s inclusion in CISA’s KEV list, noting that the observed exploitation attempts were on honeypots. The company stresses the importance of securing the management port (8443), which should not be publicly accessible. Honeypots, often deliberately misconfigured, help in identifying malicious activities.
Despite the high CVSS score, Ivanti states that the actual risk is significantly mitigated by proper deployment and configuration practices. They emphasize that managed Sentry appliances are safeguarded by mTLS, and unmanaged instances are unsuitable for production use since management is crucial for configuration and authentication.
For Neurons for MDM-managed Sentry appliances, Ivanti advises restricting internet access to the vulnerable API, regardless of the deployment type.
In related cybersecurity news, Google has confirmed the exploitation of a zero-day vulnerability in Oracle PeopleSoft by the ShinyHunters group, while alert fatigue continues to pose a significant security risk.
