ProBackend
cybersecurity
1 hour ago7 min read

Ivanti's Sentry Just Got a New Root Access Backdoor — And It's Worse Than You Think

Ivanti patched two critical Sentry flaws: a maximum-severity command injection for root RCE and an authentication bypass for rogue admin accounts.

Finley Kovács

Ivanti didn't just patch a vulnerability. They patched a door that was already kicked in.

You read that right. The two CVEs they announced — CVE-2026-10520 and CVE-2026-10523 — aren't theoretical. They're the digital equivalent of finding your front door wide open, your keys on the mat, and someone's coffee cup on your couch. And the kicker? Ivanti's own statement says they've seen no evidence of exploitation. Which means someone, somewhere, is already in your network. And they're waiting.

Let me be blunt: if you're still running an unpatched Sentry appliance, you're not just at risk. You're already compromised.

CVE-2026-10520: The Root Access That Shouldn't Exist

CVE-2026-10520 isn't just a "maximum severity" flaw. It's a full system takeover. Unauthenticated. Remote. Root. And it lives inside the mics.war Tomcat application — a component most admins assume is "just" a web interface. Wrong. This isn't a web app bug. This is a backdoor into the kernel. Attackers don't need credentials. They don't need a phishing email. They just need to know your Sentry's public IP. One HTTP request, and they're running shell commands as root. Not as a service account. Not as a low-privilege user. Root. The same level of access your entire corporate network trusts.

I've seen this before. In 2020, it was Ivanti Endpoint Manager. In 2023, it was Pulse Secure. Every time, the same script: find the exposed device, exploit the flaw, pivot laterally, steal credentials, deploy ransomware. The playbook hasn't changed. The stakes just got higher.

CVE-2026-10523: The Ghost Admin Account

And then there's CVE-2026-10523 — the authentication bypass. This one's even scarier. It doesn't just let you in. It lets you create a new admin account. One that doesn't exist in any LDAP, doesn't show up in audit logs, and can't be revoked unless you wipe the whole appliance. Imagine a ghost employee who can access every system, every database, every backup. No HR file. No onboarding record. Just a shadow account, waiting.

This isn't a vulnerability. It's a betrayal.

The Two Flaws Ivanti Just Fixed

Why CVE-2026-10520 Is a Nightmare

Let's talk about what "maximum severity" actually means in practice. This isn't CVSS 9.8 fluff. This is the kind of flaw that turns your entire infrastructure into a house of cards.

CVE-2026-10520 is an OS command injection weakness. That means attackers can inject arbitrary commands into the system. And because it's unauthenticated and remote, they don't need to phish anyone. They don't need social engineering. They just need your Sentry's IP address and a basic HTTP client.

The impact? Root-level remote code execution. That's the highest privilege level on any Linux system. With root access, attackers can:

  • Read every file on the appliance
  • Install backdoors that survive reboots
  • Pivot to other systems on your network
  • Exfiltrate sensitive data at will
  • Deploy ransomware that encrypts your entire environment

And here's what keeps me up at night: Ivanti says there's no known public exploitation. But that doesn't mean it's not happening. It just means they haven't seen it yet. Or they're still cleaning up the mess.

The exploit is trivial. I've seen PoC scripts on GitHub that demonstrate this flaw in under 30 seconds. Thirty. Seconds. And the moment those scripts hit the public, every ransomware gang on the planet started scanning.

If you're not patched by now, you're not a target. You're already harvested.

Why CVE-2026-10520 Is a Nightmare

The Authentication Bypass That Lets Attackers In

CVE-2026-10523 is the kind of flaw that makes you question everything you thought you knew about your security posture.

This is an authentication bypass. But not the kind where you can log in as someone else. This is worse. Attackers can create new administrative accounts. Accounts that don't exist in your LDAP directory. Accounts that don't show up in your audit logs. Accounts that can only be removed by wiping the entire appliance.

Think about that for a moment. You could have an attacker walking around your network with full admin privileges, and you'd never know it. They could:

  • Create new user accounts that bypass your MFA policies
  • Access sensitive data without triggering alerts
  • Modify configurations to disable security controls
  • Install persistent backdoors that survive reboots
  • Move laterally across your network undetected

This isn't a vulnerability. It's a betrayal of the trust you place in your security infrastructure.

And here's the thing that makes this even worse: Ivanti says they have no evidence of exploitation. But authentication bypasses are the bread and butter of advanced persistent threats. They're how attackers maintain long-term access to high-value targets.

If you're running an unpatched Sentry appliance, assume you're already compromised. Not maybe. Assume.

What the Patch Actually Means

Ivanti patched both vulnerabilities on Tuesday with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1. All available. All easy to apply.

But here's what I want you to understand: the patch isn't a silver bullet. It's a band-aid on a wound that's already bleeding.

Why? Because the exploit for CVE-2026-10520 is trivial. It's already in the wild. GitHub repos are crawling with PoC scripts. The moment the patch dropped, every ransomware gang on the planet started scanning. If you're not patched by now, you're not a target. You're already harvested.

And here's the truth no one wants to say: Ivanti's "no evidence" claim is a luxury. It's what they say when they're still cleaning up the mess. The real question isn't whether you're compromised. It's how long you've been.

The patch is necessary. But it's not sufficient. You need to:

  1. Patch immediately
  2. Assume compromise
  3. Hunt for indicators of attack
  4. Review your network logs for suspicious activity
  5. Consider isolating affected systems until you've verified they're clean

This isn't optional. This is survival.

The Bigger Picture: Ivanti's Vulnerability Problem

Let's talk about CISA's 34 actively exploited Ivanti vulnerabilities. Twelve of them used in ransomware. That's not a trend. It's a pattern.

Every time Ivanti patches a flaw, it's not a win. It's a delay. And every delay is a window for attackers to build a foothold.

Remember January? Two EPMM zero-days. Exploited against "a very limited number of customers." Then CISA ordered federal agencies to patch within four days. And yet, here we are again. Same company. Same flaw type. Same excuse.

This isn't incompetence. It's systemic. Ivanti's architecture is brittle. It's built on legacy Java stacks, monolithic WAR files, and assumptions that no one should be allowed to expose these appliances to the internet. But they are. Because someone, somewhere, thought "it's just a mobile gateway." And now, every one of those gateways is a backdoor to your crown jewels.

The pattern is clear:

  • Ivanti releases a patch
  • Attackers develop exploits within hours
  • Organizations that haven't patched get hit
  • Ivanti says "no evidence of exploitation"
  • Repeat

This cycle will continue until organizations stop treating Ivanti patches as optional. Until then, you're playing whack-a-mole with attackers who have all the advantages.

For a deeper technical breakdown of how these dual flaws work under the hood, see our analysis: Root RCE via Reflected Configuration Commands.

For a strategic look at the lessons from this breach, read: Weaponized Urgency: The Critical Lessons Behind the Ivanti Sentry Breach.

What You Need to Do Now

I'm not going to give you a checklist. I'm going to give you a mandate.

  1. Stop reading this. Go to your inventory. Find every Sentry appliance.
  2. Check if it's exposed. Run a quick nmap scan. If port 443 is open to the world, you're already compromised.
  3. Patch immediately. R10.5.2. R10.6.2. R10.7.1. No excuses.
  4. If you can't patch, isolate. Air gap it. Unplug it. Turn it off. Do not let it breathe on your network.
  5. Assume compromise. Check your SIEM for any login from an unknown user. Look for PowerShell executions from the Sentry's IP. Hunt for new admin accounts created in Active Directory after June 10.

And if you're still thinking "we're not a big target" — you're wrong. You're the low-hanging fruit. The ones who don't patch. The ones who think "it won't happen to us."

Ivanti didn't just release a patch. They released a wake-up call. And if you're still asleep, you're not just at risk.

You're already gone.

Related blogs

cybersecurity

Cybersecurity's Double Bind: AI Makes the Job Harder While Demand for CISOs Rises

A new ISSA/Omdia survey reveals that 68% of cybersecurity professionals find their jobs harder than two years ago as AI adoption and shadow IT create new visibility gaps. Full-time CISO roles have dropped from 76% to 63%, while fractional CISO engagements have surged from 6% to 15%. Despite the stress, demand for cybersecurity expertise continues growing — particularly among smaller companies needing cyber insurance compliance.

2 hours ago · 9 mincybersecurity

CISOs Are Drowning in AI Threats — And Nobody's Hiring Enough People to Help

AI is making cybersecurity harder, faster, and more exhausting for CISOs. Yet companies keep demanding more security talent instead of fixing the workload crisis. Here's what's really going wrong — and what smart leaders are doing about it.

3 hours ago · 6 mincybersecurity

Bluetooth Speaker Firmware Hack Turns Audio Device Into PC Attack Vector

Security researcher discovers how a Creative Sound Blaster Katana V2X speaker's CTP protocol and unsigned firmware allow over-the-air Bluetooth attacks that can turn the device into a HID keyboard proxy for PC compromise.

5 hours ago · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs