Week 24 – The Gateway That Let Attackers In

08 – 14 June 2026

This week’s CVE of the Week highlights an unauthenticated remote code execution vulnerability in Ivanti Sentry, CVE-2026-10520.

Ivanti Sentry is an in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems. It’s a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices.

Gateway appliances remain a high-value target for threat actors because they can provide access to the company’s internal network.

The vulnerability was disclosed this week with the highest possible severity, on June 9, after the release of the new updates with fixes for the vulnerability. According to the vendor bulletin, it was patched in conjunction with another critical, authentication bypass vulnerability, tracked as CVE-2026-10523. For that, Ivanti credited Bryan Lam.

This issue is classified as Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78) and has a CVSSv3 score of 10.0 (Critical).
It impacts Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions and allows a remote unauthenticated user to achieve root-level remote code execution as an OS command.
Successful exploitation can lead to a network breach using the vulnerable appliance as the foothold.

While Ivanti is not aware of any customers being exploited by these vulnerabilities at the time of disclosure, Security Researchers urge customers using vulnerable versions to upgrade as soon as possible.

According to researchers at watchTowr, the vulnerability stems from an exposed API running under Apache Tomcat.
An attacker could feed the API with a crafted message, which would be parsed and finally executed at the backend handler with root privileges.

Details about the issue, the list of affected versions and additional information about mitigations and patches are available in the advisory:
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523

More details about the vulnerability are available at watchTowr:
https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520/

For more information about the vulnerability, please visit NVD’s site:
https://nvd.nist.gov/vuln/detail/CVE-2026-10520
https://www.tenable.com/cve/CVE-2026-10520

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.