June 11, 2026 update: Ivanti Sentry CVE-2026-10520 and CVE-2026-10523 are critical gateway vulnerabilities patched in Ivanti Sentry R10.5.2, R10.6.2, and R10.7.1. BleepingComputer reports that Shadowserver is now seeing exploitation activity against internet-exposed Sentry gateways, so exposed appliances should be patched and reviewed immediately.
Plain-English impact: Ivanti Sentry, formerly MobileIron Sentry, sits between mobile devices and back-end corporate systems. A compromised gateway can put mobile access, internal applications, email paths, administrator trust, and customer-facing support workflows at risk.
This is a protect-only guide. It gives administrators a safe patch, review, and communication path without publishing abuse instructions, unsafe validation steps, or implementation details.
What is affected
The CVE records list Ivanti Sentry versions before the fixed R10.5.2, R10.6.2, and R10.7.1 releases as affected. CVE-2026-10520 is rated CVSS 10 Critical in the official CVE record. CVE-2026-10523 is also critical and affects administrator trust.
- Ivanti Sentry / MobileIron Sentry appliances on older R10.5, R10.6, or R10.7 builds.
- Internet-exposed Sentry gateways that broker mobile-device access to internal services.
- Hosting providers, MSPs, agencies, and IT teams that use Sentry to protect customer or staff mobile access.
- Environments where the Sentry gateway can reach mail, identity, support, billing, CRM, file, or private application systems.
Patch priority
- Inventory every Sentry gateway. Include production, disaster-recovery, lab, regional, and customer-dedicated appliances.
- Confirm the exact branch and build. If the gateway is older than R10.5.2, R10.6.2, or R10.7.1, treat it as needing urgent maintenance.
- Back up before the change. Preserve configuration, certificates, integration settings, and a rollback plan according to Ivanti’s supported process.
- Apply the Ivanti fixed release for your branch. Use the official Ivanti advisory and release notes for the supported upgrade path.
- Restrict exposure while patching. Limit direct internet reachability where the business can tolerate it, especially for administrator access and management paths.
- Assume exposed unpatched gateways need review. Because exploitation is being reported publicly, do not stop at “patched.” Review access, logs, accounts, certificates, and downstream systems.
Post-patch verification
- Confirm the active Sentry version shows R10.5.2, R10.6.2, R10.7.1, or a later fixed build.
- Verify mobile-device traffic, email access, application tunnels, certificates, and identity-provider connections.
- Check for unexpected administrator accounts, role changes, configuration edits, certificate changes, and policy changes.
- Review gateway, authentication, mobile-device, EDR, SIEM, and firewall logs around the public patch and exploitation window.
- Rotate credentials, tokens, or certificates if the gateway showed suspicious changes or if your incident-response team cannot rule out compromise.
- Watch for unusual outbound connections, new scheduled tasks, changed startup behavior, unknown files, or monitoring alerts on the appliance and adjacent systems.
- Confirm customer and staff mobile workflows after the update so support teams can separate expected post-maintenance issues from suspicious behavior.
Hosting and MSP notes
If Sentry protects access to customer-support tooling, hosting control panels, billing systems, private cloud dashboards, backup platforms, or managed email, treat this as a business-impact patch window. Customer communication should explain the maintenance window, expected reconnect behavior, and how users should report failed access or suspicious mobile prompts.
For multi-tenant environments, review tenant isolation and downstream access. A gateway that brokers access into several customer environments deserves a wider access review than a single-purpose appliance.
If you cannot patch immediately
Temporary exposure reduction is only a bridge. Restrict management access, limit trusted networks, increase logging, alert on administrator and configuration changes, and prepare an emergency maintenance window. Do not treat a firewall rule or monitoring alert as a substitute for the fixed Ivanti release.
Related Fix I.T. Phill reading
- Check Point CVE-2026-50751 VPN patch guide
- SolarWinds Serv-U CVE-2026-28318 KEV patch guide
- VMware Cloud Foundation Operations VMSA-2026-0004 patch guide
- Microsoft Defender RoguePlanet admin mitigation checklist
Sources
- Ivanti Sentry security advisory for CVE-2026-10520 and CVE-2026-10523
- Official CVE record for CVE-2026-10520
- Official CVE record for CVE-2026-10523
- NVD entry for CVE-2026-10520
- NVD entry for CVE-2026-10523
- BleepingComputer report on Ivanti Sentry exploitation activity
Need help planning an emergency gateway patch or reviewing access after a mobile-access appliance vulnerability? Fix I.T. Phill can help inventory exposure, coordinate a maintenance window, verify service health, and document what changed.
