ctipilot.ch

Home · Live brief · Daily brief 2026-06-14

Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored

critical vulnerability discovered 2026-06-14 05:00 UTC

Part of run 2026-06-14-e1d80e78 (intel · Claude Opus 4.8)

UPDATE — originally covered CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth OS command injection to root (CVSS 10.0), public PoC published today (2026-06-10)

UPDATE (originally covered 2026-06-10): the Ivanti Sentry MICS command-injection covered last week as an advisory-plus-patch story is now confirmed exploited. After watchTowr published a working proof-of-concept on 10 June, the Shadowserver Foundation observed mass exploitation attempts and confirmed that at least two of the then-19 internet-exposed Sentry instances had been backdoored shortly after the PoC went public (Security Affairs, 2026-06-11).

The flaw (CVSS 10.0) is reachable by an unauthenticated POST to the MICS handleMessage interface and executes arbitrary OS commands as root, giving an attacker control over every mailbox, calendar and enterprise application the gateway brokers (T1190 Exploit Public-Facing Application; T1505.003 Web Shell post-exploitation). CISA added the CVE to its Known Exploited Vulnerabilities catalog on 11 June and CERT-EU issued advisory 2026-008 urging immediate upgrade (CERT-EU 2026-008, 2026-06-10; BleepingComputer, 2026-06-12). The operational driver is the confirmed in-the-wild backdooring, not any compliance date: any internet-reachable Sentry should be treated as presumed-compromised and compromise-assessed, not merely patched. Affected: Sentry ≤ R10.5.1, ≤ R10.6.1, ≤ R10.7.0; fixed in R10.5.2 / R10.6.2 / R10.7.1. See the § 0 Immediate Action callout and § 6.

“Shadowserver Foundation observed a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC by watchTowr, and said that at least two of the 19 vulnerable instances they are seeing have been backdoored” — Security Affairs

“CISA adds Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog and urges patching by June 14” — Security Affairs

Action items

  • Patch internet-exposed Ivanti Sentry now and compromise-assess — do not just patch (CVE-2026-10520). Upgrade to R10.5.2 / R10.6.2 / R10.7.1, restrict the MICS listener to management networks, and because exposed gateways are confirmed backdoored, audit for persistence (unexpected cron entries, authorized_keys changes, anomalous children of the MICS Java process) before declaring any instance clean. Pre-auth CVSS 10.0 RCE with confirmed in-the-wild backdooring.

Update chain

vulnerabilities actively-exploited pre-auth rce cisa-kev global europe switzerland CVE-2026-10520