An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
The vulnerability consists of improper sanitization of input data passed to system calls (CWE-78 — OS Command Injection). An attacker can craft an appropriate network request and inject malicious system commands that will be executed by the server without requiring any credentials. The attack scope extends beyond the application context itself (scope changed), which means the ability to impact other system components.
An attacker gains remote code execution (RCE) with root privileges on the vulnerable device, which means complete system takeover, access to sensitive data, ability to modify configuration, and potential use of the server as a launch point for further attacks on the internal network.
Ivanti Sentry must be immediately updated to version R10.5.2, R10.6.2, or R10.7.1 (depending on the branch in use). Detailed instructions are available in the official security bulletin from the vendor at the address indicated in the references. Until the patch is deployed, it is recommended to restrict network access to Ivanti Sentry management interfaces only to trusted IP addresses.
Ivanti Sentry in all versions prior to R10.5.2, R10.6.2, and R10.7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HIvanti Standalone Sentry
APPIvanti10.7.0< 10.5.210.6.0 – 10.6.2 (bez)
CISA KEV — detailsi
- Vendori
- Ivanti ↗
- Producti
- Sentry
- Added to KEVi
- June 11, 2026
- Remediation deadline (US Federal)i
- June 14, 2026(overdue)
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
Related vulnerabilities
Authentication Bypass w Ivanti Sentry — tworzenie kont admina bez uwierzytelnienia
Insecure permissions in Ivanti Sentry before versions 9.20.2 and 10.0.2 or 10.1.0 allow a local authenticated ...
A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to exec...
Krytyczny code injection w Ivanti Endpoint Manager Mobile (RCE bez uwierzytelnienia)
Code injection w Ivanti EPMM umożliwiający nieuwierzytelniony RCE