Attackers are now actively targeting a maximum-severity flaw in **Ivanti Sentry** appliances, enabling them to execute code with root privileges on internet-exposed secure mobile gateways. **Ivanti Sentry** is a security gateway appliance designed to secure traffic between back-end corporate systems and remote mobile devices. The vulnerability, tracked as **CVE-2026-10520**, is an OS command injection weakness. **Ivanti** released patches on Tuesday in Sentry versions R10.5.2, R10.6.2, and R10.7.1. ### Rapid Exploitation Observed Despite **Ivanti** initially stating no evidence of in-the-wild exploitation, the **Shadowserver** nonprofit security organization reported the very next day that attackers had already backdoored a significant number of Sentry gateways exposed online. **Shadowserver** warned, "We are observing a large amount of **Ivanti Sentry CVE-2026-10520** exploitation attempts based on the public PoC today. We see 19 vulnerable instances in our own scans, with at least 2 backdoored (thanks to Saudi NCA for the tip!). However, all remaining likely compromised too." The organization also noted that while its scans detected a limited number of exposed Sentry instances, more are likely vulnerable due to its search engine being blocklisted. "If you have not patched now you are most likely compromised," **Shadowserver** cautioned.  ### Ivanti's Response and Broader Concerns **Ivanti** has not yet updated its security advisory issued on Tuesday, which still states, "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure." This incident highlights a recurring pattern. Hackers frequently target **Ivanti** security flaws because these provide a critical entry point into enterprise networks, facilitating the theft of sensitive data. In recent years, multiple **Ivanti** zero-days have been exploited to breach various targets, including government agencies worldwide. Examples include critical **Endpoint Manager Mobile (EPMM)** vulnerabilities addressed in January after being exploited as zero-days against a "very limited number of customers." Last month, the **Cybersecurity and Infrastructure Security Agency (CISA)** ordered U.S. federal agencies to patch **Ivanti** systems after the company warned of a high-severity remote code execution **EPMM** flaw also abused in zero-day attacks. **CISA** has flagged 34 vulnerabilities across various **Ivanti** products as actively exploited in the wild, with 12 of these also targeted in ransomware attacks. **Ivanti** boasts a network of over 7,000 partners and 3,000 employees, with its IT asset management solutions utilized by over 40,000 customers globally.