UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored

UPDATE (originally covered 2026-06-10): the Ivanti Sentry MICS command-injection covered last week as an advisory-plus-patch story is now confirmed exploited. After watchTowr published a working proof-of-concept on 10 June, the Shadowserver Foundation observed mass exploitation attempts and confirmed that at least two of the then-19 internet-exposed Sentry instances had been backdoored shortly after the PoC went public (Security Affairs, 2026-06-11).

The flaw (CVSS 10.0) is reachable by an unauthenticated POST to the MICS handleMessage interface and executes arbitrary OS commands as root, giving an attacker control over every mailbox, calendar and enterprise application the gateway brokers (T1190 Exploit Public-Facing Application; T1505.003 Web Shell post-exploitation). CISA added the CVE to its Known Exploited Vulnerabilities catalog on 11 June and CERT-EU issued advisory 2026-008 urging immediate upgrade (CERT-EU 2026-008, 2026-06-10; BleepingComputer, 2026-06-12). The operational driver is the confirmed in-the-wild backdooring, not any compliance date: any internet-reachable Sentry should be treated as presumed-compromised and compromise-assessed, not merely patched. Affected: Sentry ≤ R10.5.1, ≤ R10.6.1, ≤ R10.7.0; fixed in R10.5.2 / R10.6.2 / R10.7.1. See the § 0 Immediate Action callout and § 6.