---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: The Cybersecurity Service for the Union institutions, bodies, offices and agencies    
title: 'Critical vulnerabilities in Ivanti Sentry'
number: '2026-008'
version: '1.0'
original_date: '2026-06-09'
date: '2026-06-10'
---

_History:_

* _10/06/2026 --- v1.0 -- Initial publication_

# Summary

On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.

# Technical Details

The vulnerability **CVE-2026-10520**, with a CVSS score of 10, is an OS Command Injection vulnerability in Ivanti Sentry which allows a remote unauthenticated user to achieve root-level remote code execution[2].

The vulnerability **CVE-2026-10523**, with a CVSS score of 9.9, is an Authentication Bypass vulnerability in Ivanti Sentry which allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

# Affected Products

The following versions of Ivanti Sentry are affected:

- 10.5.1 and prior.
- 10.6.1 and prior.
- 10.7.0 and prior.

# Recommendations

CERT-EU recommends following the vendor's guidance to update their appliance to one of the fixed versions[1].

# References

[1] <https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523>

[2] <https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/>