Informa TechTarget | SearchSecurity Cybersecurity Dive InformationWeek Channel Dive Explore our brands An Informa TechTarget Publication Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Vulnerabilities & Threats Claude Fable 5 Doesn't Change the Mythos Security Story Claude Fable 5 Doesn't Change the Mythos Security Story by Alexander Culafi Jun 12, 2026 5 Min Read Vulnerabilities & Threats Bug Bounty Research Triggers ServiceNow Security Alert Bug Bounty Research Triggers ServiceNow Security Alert by Alexander Culafi Jun 10, 2026 3 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library White Papers Reports Webinars Newsletters Podcasts Heard It From a CISO Reporters' Notebook Dark Reading's 20th Videos Dark Reading Polls Partner Perspectives Meet the Editors Advertise With Us About Us Dark Reading Resource Library Vulnerabilities & Threats Cyberattacks & Data Breaches Cyber Risk Remote Workforce News Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure Initial methods suggest attackers had likely mapped out Ivanti's asset landscape upfront and acted quickly once the exploit became public. Rob Wright , Senior News Director , Dark Reading June 11, 2026 3 Min Read Source: gorodenkoff via Getty Images Threat actors pounced on a critical Ivanti Sentry vulnerability within 24 hours of its disclosure, using a public proof-of-concept (PoC) exploit in attacks. Ivanti disclosed Tuesday CVE-2026-10520, an OS command injection vulnerability that affects the company's Sentry mobile gateway product prior to versions R10.5.2, R10.6.2 and R10.7.1. The vulnerability, which received a maximum severity CVSS score of 10, enables an unauthenticated attacker to remotely execute code with root privileges. Ivanti disclosed the flaw along with another Sentry vulnerability, CVE-2026-10523, an authentication bypass flaw with a 9.9 CVSS score. In its security advisory , Ivanti initially said it was unaware of either flaw being exploited in the wild. But the situation apparently changed very quickly for CVE-2026-10520. Public PoC for CVE-2026-10520 Triggers Exploitation Cybersecurity vendor WatchTowr yesterday published a technical analysis of the flaw along with a PoC exploit. In a blog post the same day, Rapid7 warned the flaw is easy to weaponize and urged organizations to take immediate action. Related: Claude Fable 5 Doesn't Change the Mythos Security Story "Given the trivial nature of exploitation and the availability of a public PoC, exploitation in-the-wild is likely to begin," Rapid7 researchers wrote. "Organizations running affected versions of Ivanti Sentry should remediate these issues on an urgent basis before exploitation in-the-wild begins." Sure enough, attackers jumped on CVE-2026-10520 soon after. In a post on social media platform Mastodon , the Shadowserver Foundation said it observed "a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today." Specifically, Shadowserver spotted 19 vulnerable instances, at least two of which were backdoored. "While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised," Shadowserver said in the post. Cybersecurity vendor Defused also picked up exploitation activity in its scans. Simo Kohonen, Defused founder and CEO, tells Dark Reading that attacks have "pretty much been non-stop active after the release of the Watchtowr PoC." Perhaps more importantly, Kohonen says the exploitation activity Defused observed was notable in that attackers launched the exploit directly against the company's Ivanti honeypots , with no system fingerprinting or similar activity performed up front. "It suggests whoever acted first had the Ivanti asset landscape mapped out already up front and was able to act very quickly once the vulnerability/exploit information became public," he says. Related: Bug Bounty Research Triggers ServiceNow Security Alert Risks to Ivanti Sentry Customers Ivanti Sentry, formerly MobileIron Sentry, is part of the vendor's Unified Endpoint Management (UEM) platform and serves as an in-line gateway for mobile devices to enterprise systems. The appliance establishes on-demand, application-specific VPNs for services like email, securing traffic, and encrypting data. Achieving root-level access on a Sentry instance via exploitation of CVE-2026-10520 could give a threat actor control over the appliance's configurations, stored credentials, and integrated authentication or directory connections, according to SOCRadar. "Ivanti Sentry often sits in a sensitive position in enterprise environments, acting as a control point for mobile and device access," SOCRadar's research team wrote in a blog post yesterday. "That placement can amplify the downstream impact if the appliance is compromised." In addition to extracting configurations, credentials, and other secrets from a Sentry appliance, SOCRadar said a threat actor could modify access requirements, weaken security controls, move laterally into an organization's environment, depending on where the appliance is located. Related: Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet The attacks on CVE-2026-10520 are the latest threat facing Ivanti customers. The vendor's products have been heavily targeted by both cybercriminals and nation-state actors in recent years. Most recently, a critical flaw in the Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1340, came under widespread exploitation in April . About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding. At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars Editor's Choice Cybersecurity Operations 20 Leaders Who Built the CISO Era: 2 Decades of Change 20 Leaders Who Built the CISO Era: 2 Decades of Change by Dark Reading Editorial Team May 12, 2026 41 Min Read Application Security It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight by Jai Vijayan May 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response Tuesday, June 30, 2026 @ 1:00 PM Eastern Daylight Time The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Tuesday, June 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Thurs, June 25, 2026, at 1pm EST Defending in the Shadow Era: When the CVE Feed Goes Dark Tues, June 16, 2026 at 1pm EST Building SecOps That Make the Most of Every Dollar Thurs, July 9, 2026 at 1pm EST More Webinars Aug 1-6 | Mandalay Bay, Las Vegas Use code: DARKREADING & save $200 on a Briefings pass or $100 on a Business pass The premier cybersecurity event returns. GET YOUR PASS Anatomy of a Data Breach This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. Beat Hackers To It Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us Newsletter Sign-Up Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and ope