Ivanti Sentry CVE-2026-10520: what Hawaii businesses need to do right now
Ivanti Sentry CVE-2026-10520 is a CVSS 10.0 unauthenticated root remote code execution flaw in Ivanti's MDM gateway product (formerly MobileIron Sentry). Ivanti shipped fixes on June 9, 2026. CISA added the CVE to the Known Exploited Vulnerabilities catalog on June 11, 2026 with a June 14 federal remediation deadline. Public exploit code was released on June 10. Any Hawaii business running Sentry with the management interface reachable from the internet must patch to R10.5.2, R10.6.2, or R10.7.1 today and run a compromise assessment.
We are writing this on July 4, 2026 because we still see Hawaii businesses running Ivanti or MobileIron Sentry that have not verified their patch status against this advisory. Some of those appliances are on the Ivanti-branded builds, some are still on legacy MobileIron builds — same product, same bug. Below is what happened, why it matters for a Honolulu enterprise, and exactly what to do this weekend.
What CVE-2026-10520 actually is
The vulnerability lives in Sentry's ConfigServiceController.handleMessage Java class, reached via a POST to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage on TCP 8443. That endpoint was designed to accept internal configuration commands from within the management fabric. In vulnerable builds it accepts them from anyone who can reach the port, without any authentication. The received "message" is parsed as a MICS wire-protocol command and dispatched to an OS-level executor that runs as root.
WatchTowr Labs published a technical breakdown and a detection artifact on June 10, 2026 — one day after Ivanti's advisory. A single POST is enough. The exploit body is short enough to fit in a tweet. There is no user interaction, no credential requirement, and no privilege prerequisite. CVSS 3.1 base score is 10.0 (network attack vector, low complexity, no privileges required, no user interaction, scope changed, high impact to confidentiality, integrity, and availability). EPSS jumped to 0.98937 within days.
The companion CVE-2026-10523 is an authentication bypass (CVSS 9.9) in the same product, fixed in the same builds, allowing an unauthenticated attacker to create arbitrary administrative accounts. Both should be treated as a chained pair.
The timeline
- June 9, 2026 — Ivanti publishes the advisory and ships R10.5.2, R10.6.2, and R10.7.1. Vendor states no confirmed customer exploitation at disclosure.
- June 10, 2026 — WatchTowr Labs publishes a technical breakdown and a public detection artifact. Attackers begin weaponizing within 40 hours.
- June 11, 2026 — CISA adds CVE-2026-10520 to the Known Exploited Vulnerabilities catalog with a June 14 remediation deadline under Binding Operational Directive 26-04's three-day mandate for critical, actively exploited, publicly-exposed flaws. This was the first real-world use of the shortened BOD 26-04 clock.
- June 12, 2026 — Shadowserver Foundation reports mass exploitation attempts and at least two backdoored internet-exposed appliances out of 19 visible in its scans.
- June 14, 2026 — Federal remediation deadline passes.
The NVD entry for CVE-2026-10520 is the primary reference. The CISA KEV catalog is the authoritative list of the vulnerabilities being exploited in the wild that FCEB agencies and mature private-sector organizations track patching against. We wrote about the patching SLA your MSP should commit to against KEV in our CISA KEV patching guide.
Why this matters for Hawaii businesses
Sentry (and its legacy MobileIron branding) is a common piece of infrastructure in three kinds of Hawaii organization:
- Larger enterprises — hotels, resorts, healthcare systems, financial institutions — that adopted MobileIron for MDM before Ivanti's acquisition and have not migrated off Sentry as a gateway to their mobile fleet.
- Federal contractors, defense-adjacent firms, and Hawaii state agencies with CJIS, IRS 1075, or DoD-aligned mobile fleets requiring an on-prem MDM gateway between devices and back-end systems.
- Healthcare organizations using Sentry to broker mobile access to Epic, Meditech, or similar systems where a cloud-only MDM path did not fit compliance requirements.
For all three, the risk is not just "the appliance can get owned." It is that Sentry sits between mobile devices and internal systems — identity, mail, files, sometimes clinical records. An attacker with root on Sentry is well-positioned to move into that internal footprint. The Shadowserver-confirmed backdoors on exposed Hawaii-region-adjacent appliances (Shadowserver scans globally, so we cannot claim any specific Hawaii instance was hit) demonstrate that the exploitation chain is already operational at scale.
Even more relevant — we specifically recommended Ivanti's mobile products in our recent guide for Hawaii construction companies. That recommendation still stands for the parts of Ivanti's line that are not affected, but if you took the Sentry path specifically, this advisory is your action item this weekend.
How to check your exposure this weekend
- Inventory. Identify every Ivanti Sentry or legacy MobileIron Sentry appliance. Include virtual machines and cloud-hosted instances. Include appliances someone else may be operating on your behalf.
- Version check. On each appliance, confirm the exact build. If you are below R10.5.2, R10.6.2, or R10.7.1 you are vulnerable to CVE-2026-10520.
- Exposure check. Confirm whether TCP 8443 on the management interface is reachable from the public internet or any untrusted network. A quick external check from outside your firewall is sufficient. If it is reachable and the appliance is in an unmanaged state (not fronted by mTLS with EPMM or restricted HTTPS through Neurons for MDM), you are in the exploitable configuration.
- Log preservation. Before patching, snapshot appliance logs and any surrounding perimeter or SIEM records. If the appliance turns out to have been compromised, those logs are your incident-response evidence.
What to do if you are vulnerable
The fix is a straight upgrade to R10.5.2 (5.x branch), R10.6.2 (6.x branch), or R10.7.1 (7.x branch), from Ivanti's security advisory. If you cannot patch within hours:
- Block external access to TCP 8443 at your firewall or your reverse proxy.
- Confirm the appliance is managed behind mTLS with EPMM or restricted HTTPS through Neurons for MDM — these are the two configurations Ivanti explicitly named as protective.
- If neither is available, consider taking the appliance offline until you can patch. External device check-in will pause. That is a smaller cost than a rooted appliance.
Compromise assessment after patching
Do not treat "patched" as "safe." For an unauthenticated root RCE that was publicly exploited before you patched, any time the appliance was reachable is time it could have been hit. After the patch is in:
- Enumerate local accounts on the appliance. Any admin account you did not create is suspect (see CVE-2026-10523, the auth-bypass companion, which creates admin accounts).
- Check the appliance for unexpected running processes, unexpected outbound network connections, and unexpected files in writable directories.
- Review authentication logs on any downstream system the Sentry appliance could reach — identity providers, mail servers, MDM control planes, back-end apps — for anomalous authentications originating from the Sentry appliance's identity.
- Rotate credentials, tokens, and certificates the appliance handled if the exposure window and forensic evidence do not clearly rule out theft.
- If any of the above shows signs of compromise, treat it as a live incident and engage a qualified incident response team. Our security operations team supports this work for Hawaii businesses.
For a broader framework on how a Hawaii business should handle an appliance compromise, see our ransomware recovery guide for the first 72 hours. It applies here even if ransomware is not the immediate outcome, because the initial-access pattern is the same.
What this means for your MDM strategy
Sentry is not dead. It remains a legitimate MDM gateway for enterprises with a real reason to keep an on-prem broker between devices and back-end systems. But this is the second Sentry MICS-admin-plane unauthenticated-access issue in the product's history — the 2023 fix addressed the same class of bug in a different endpoint. That pattern is worth factoring into a long-term architecture decision.
For most Hawaii businesses at 20 to 100 employees, a cloud-only MDM path (Microsoft Intune or Kandji) removes the internet-exposed appliance problem entirely, and we mentioned both in our construction IT guide and our HIPAA IT controls guide. If you inherited Sentry from a MobileIron era and no longer need the on-prem broker, this incident is a reasonable time to plan the migration — not as panic, but as strategy.
For everyone else: patch, verify, assess. Then re-read your operational posture on internet-exposed management planes generally. This applies to firewalls, VPN concentrators, load balancers, backup appliances, and everything else running an admin API on a public IP. We covered the broader concept in our cyber insurance renewal guide under the "no exposed management interfaces" control.
How HI Tech Hui is handling this for clients
Every managed HI Tech Hui client with a Sentry or MobileIron Sentry footprint was inventoried the day of the CISA KEV listing, patched inside the vendor's window, and put through a compromise assessment before June 14. If you are not a client and you have any doubt about your Sentry posture this weekend, our managed IT team and security operations can help. Reach out through contact. The advisory is public, the exploit is public, and the fix is available — the only remaining variable is whether your appliance is on the fixed build today.
FAQ
What is Ivanti Sentry CVE-2026-10520?
CVE-2026-10520 is a CVSS 10.0 OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) that allows an unauthenticated attacker to execute commands as root on the appliance. Ivanti published the advisory and fix on June 9, 2026. CISA added it to the Known Exploited Vulnerabilities catalog on June 11, 2026, with a federal remediation deadline of June 14, 2026 under Binding Operational Directive 26-04's three-day mandate.
Which versions of Ivanti Sentry are affected?
Every Ivanti Sentry version at or before 10.5.1, 10.6.1, and 10.7.0 is vulnerable to CVE-2026-10520. The vendor released fixed builds on June 9, 2026: Sentry R10.5.2, R10.6.2, and R10.7.1. If your appliance is at any earlier version and its management endpoint is reachable from the internet or an untrusted network, treat it as exploitable until proven otherwise. Air-gapped or strictly-managed Sentry deployments are not exploitable through this vector.
Is Ivanti Sentry CVE-2026-10520 being exploited in the wild?
Yes. WatchTowr Labs published a public proof of concept on June 10, 2026, and Shadowserver Foundation confirmed mass exploitation attempts and at least two backdoored appliances within 40 hours. CISA added the CVE to the KEV catalog on June 11 based on active-exploitation evidence. Any internet-exposed vulnerable Sentry appliance should be considered compromised until compromise assessment proves otherwise, not just patched and forgotten.
How do I check if my Hawaii business is exposed to CVE-2026-10520?
Identify every Ivanti Sentry appliance in your environment (also look for older MobileIron Sentry deployments — same product). Check each one's version. Confirm whether the management interface on TCP port 8443 is reachable from the internet or from any untrusted network segment. If the version is below R10.5.2, R10.6.2, or R10.7.1 and the endpoint is reachable, you are in the exploitable configuration. Patch or remove exposure immediately.
What should Hawaii businesses do if they cannot patch Ivanti Sentry today?
Remove the Sentry management interface from public internet exposure immediately. Ivanti's supported protective configurations are mTLS with EPMM or restricted HTTPS access through Neurons for MDM. If neither is in place, block external access to TCP 8443 at the firewall until the appliance is upgraded to R10.5.2, R10.6.2, or R10.7.1. Understand that pulling the interface offline may break external device check-in until patched.
What compromise assessment steps should follow the Ivanti Sentry patch?
After patching, do not assume you are clean. Preserve appliance logs. Review for unexpected local accounts, especially any new administrative accounts (the companion CVE-2026-10523 allows creating them). Inspect outbound connections from the Sentry appliance for anomalies. Check downstream systems the appliance can reach for suspicious authentication events. Consider rotating any credentials or certificates the appliance handled. Follow CISA's forensics triage requirements referenced in the KEV entry.
Should a Hawaii business keep using Ivanti Sentry after CVE-2026-10520?
Yes, if Sentry fits your architecture and you can operate it correctly. This is the second time in the product's history that unauthenticated access to the MICS admin plane has been fixed, and that pattern is worth noting, but Sentry remains a legitimate MDM gateway for enterprises that need it. The real fix is operational: never expose the management interface to the internet, patch inside the vendor's own SLA, and monitor the appliance.