**Ivanti**, a prominent security software company, has moved to address two critical vulnerabilities identified in its **Sentry** secure mobile gateway solution. The patches target a maximum-severity flaw that allows remote attackers to execute code with root privileges, alongside a critical authentication bypass. Formerly known as **MobileIron Sentry**, **Ivanti Sentry** functions as a security gateway appliance, safeguarding traffic flow between back-end corporate systems and remote mobile devices. ### Maximum-Severity OS Command Injection The first and most severe vulnerability, tracked as **CVE-2026-10520**, is an OS command injection weakness. This flaw carries a maximum severity rating due to its potential for unauthenticated remote code execution with root privileges, offering attackers complete control over affected systems. ### Critical Authentication Bypass The second security flaw, identified as **CVE-2026-10523**, is a critical authentication bypass. This vulnerability can be exploited remotely by unauthenticated attackers to create rogue administrative accounts, thereby gaining full administrative access to the **Sentry** appliance. ### Patch Availability and Recommendations **Ivanti** released patches for both issues on Tuesday, with the availability of **Sentry** versions R10.5.2, R10.6.2, and R10.7.1. The company has stated that it has no evidence of these vulnerabilities being actively exploited in the wild at the time of disclosure. Nonetheless, administrators are urged to upgrade their systems without delay to mitigate potential risks. ### A Pattern of Exploitation This incident adds to a troubling pattern of **Ivanti** vulnerabilities being frequently targeted by threat actors. The company's products, due to their widespread use in enterprise networks, often serve as attractive entry points for cybercriminals aiming to breach organizations and exfiltrate sensitive data. For instance, the **Cybersecurity and Infrastructure Security Agency (CISA)** recently mandated U.S. federal agencies to patch an **Ivanti** **Endpoint Manager Mobile (EPMM)** flaw that was actively exploited as a zero-day. This followed **Ivanti's** own warning regarding the high-severity remote code execution vulnerability. Numerous other **Ivanti** zero-days have been leveraged in attacks over recent years, impacting a diverse range of targets including government agencies worldwide. **CISA's** Known Exploited Vulnerabilities Catalog lists 34 vulnerabilities across various **Ivanti** products as actively exploited, with 12 of these also used in ransomware attacks. **Ivanti's** IT asset management solutions are utilized by over 40,000 clients globally, underscoring the critical importance of timely patching and robust security practices for its extensive user base.