Shadowserver reported on June 11, 2026 that attackers were attempting to exploit CVE-2026-10520 in Ivanti Sentry, a gateway product formerly known as MobileIron Sentry. The report followed Ivanti's June 9 advisory for two critical Sentry vulnerabilities and BleepingComputer's same-day coverage of exploitation activity against exposed systems.
For most business owners, the important question is not whether they can explain command injection or authentication bypass. The important question is whether any internet-facing gateway that connects mobile devices to internal systems has been patched, reviewed, and cleared with evidence.
Ivanti's advisory says affected Sentry versions should be upgraded to R10.5.2, R10.6.2, or R10.7.1. NVD describes CVE-2026-10520 as a remote unauthenticated command-injection vulnerability that can allow root-level remote code execution. The second issue, CVE-2026-10523, is described as an authentication bypass that can allow creation of administrative accounts.
Why This Matters To Business Owners
Products like Ivanti Sentry often sit at the edge of the business. They are installed to secure traffic between remote mobile devices and back-end enterprise systems. That placement makes them important, but it also means they can become a business risk when they are exposed to the internet and no one can quickly prove their status.
A gateway is not just another server waiting for a monthly maintenance window. It can sit in front of email, mobile access, and other internal resources. If attackers can reach it before the owner knows it exists, the business may need more than a routine patch note.
This does not mean every organization using Ivanti Sentry has been compromised. It does mean an owner should not accept a vague answer such as, we handle security updates. For an exposed edge appliance, the answer should include the affected product check, the fixed version, the exposure status, and the evidence reviewed after the advisory.
The Business Decision
The decision is whether to treat this as a simple maintenance task or as a verification event. For any business that uses Ivanti Sentry or inherited MobileIron infrastructure, the safer management question is:
Can our provider prove that the gateway was not exposed and compromised before it was fixed?
That proof does not have to be complicated, but it should be specific. A responsible review should identify whether Sentry is deployed, which version is running, whether the administrative interface or related services are externally reachable, when the fixed version was installed, and whether logs and accounts were checked after the exploitation reports.
If the system was internet-facing and unpatched during the exploitation window, patching may not be the end of the work. The business may need a compromise assessment, a review of administrative accounts, inspection for persistence, and a decision about whether incident response support is required.
Questions To Ask Your IT Provider
If your organization relies on an MSP, internal IT team, mobile device management vendor, or security consultant, ask for a written answer to these questions:
- Do we use Ivanti Sentry, MobileIron Sentry, or any related Ivanti mobile gateway product?
- If yes, what exact version is running now, and what version was running on June 9 and June 11, 2026?
- Was the gateway reachable from the public internet during the advisory and exploitation window?
- Has it been upgraded to R10.5.2, R10.6.2, R10.7.1, or another vendor-confirmed fixed release?
- Were administrative accounts reviewed for unauthorized additions or changes?
- Were logs checked for command execution, unexpected configuration changes, web shells, backdoors, or unusual outbound connections?
- If the appliance was exposed and unpatched, who is deciding whether incident response is needed?
Those questions are not meant to turn the owner into a technician. They create accountability. Someone should be able to show the inventory, the fix, the date, and the review result.
What To Do Next
Start by confirming whether Ivanti Sentry or MobileIron Sentry exists anywhere in the environment. Many businesses inherit products through prior providers, old mobile deployments, acquisitions, or legacy remote access projects. If the answer is no, document that result and move on.
If the product is present, ask for the current version and the exposure status. Then ask whether the system was checked after Shadowserver's June 11 exploitation report, not only after the original vendor advisory. The timing matters because exploitation reports can change the decision from patch when scheduled to patch and investigate.
Finally, make sure the result is recorded in business language. The owner or executive team should know whether the product was present, whether it was exposed, whether it was fixed, whether suspicious activity was found, and who accepted the remaining risk. That is the part of the process that keeps an urgent security advisory from becoming an undocumented assumption.
Sources and further reading