Decoding the world of cybersecurity

Ivanti Sentry flaws expose security gateways

NHS England and CERT-EU have warned organisations to patch critical Ivanti Sentry vulnerabilities after exploitation of one flaw was reported in the wild.

Ivanti Sentry flaws expose security gateways
Summary
  • Ivanti has fixed two critical Sentry vulnerabilities affecting versions before R10.5.2, R10.6.2, and R10.7.1.
  • NHS England says exploitation of CVE-2026-10520 has been reported in the wild after proof-of-concept release.
  • The flaws could allow root-level remote code execution or arbitrary administrator account creation.

Ivanti has released fixes for two critical vulnerabilities in Ivanti Sentry, while NHS England and CERT-EU have warned organisations to move quickly after exploitation of one flaw was reported in the wild.

The vulnerabilities affect Ivanti Sentry, formerly MobileIron Sentry, before versions R10.5.2, R10.6.2, and R10.7.1. NHS England’s National Cyber Security Operations Centre said CVE-2026-10520 is being exploited in the wild following the release of proof-of-concept material, and assessed further exploitation as almost certain.

CVE-2026-10520 is an operating system command injection vulnerability with a CVSS score of 10.0. CERT-EU says it allows a remote unauthenticated user to achieve root-level remote code execution on a vulnerable device. CVE-2026-10523, scored at 9.9, is an authentication bypass vulnerability that could allow a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

NHS England’s advisory directs affected organisations to review Ivanti’s security advisory and apply the relevant updates. CERT-EU has issued a parallel warning for European institutions, recommending that affected appliances be updated to fixed versions. The Dutch NCSC has also warned of active misuse risk, reinforcing the European exposure around these edge and security gateway products.

The facts currently available do not identify victim organisations, exploitation scale, or whether attacks have affected UK healthcare bodies or EU institutions. The confirmed position is narrower but still serious: one of the flaws has exploitation reporting, public technical material is available, and the vulnerable product sits in a security-sensitive position within enterprise environments.

Ivanti Sentry is used to support secure mobile and enterprise access flows. Products in that class often bridge external devices, internal services, authentication processes, and policy enforcement. A compromise of that layer can give attackers a privileged operational position, particularly where appliances are internet-facing or treated as trusted infrastructure by surrounding systems.

Attackers continue to target the infrastructure organisations deploy to secure access: VPNs, mobile gateways, identity providers, remote management tools, firewalls, and SD-WAN controllers. Those systems concentrate trust. They are designed to mediate traffic, hold credentials or tokens, enforce policy, and connect users to sensitive services. When they fail, the failure is not limited to one endpoint.

Security appliances can sit outside normal vulnerability routines. They may be managed by specialist teams, third-party providers, or network groups rather than endpoint or server operations. They may have limited telemetry, awkward update processes, or maintenance windows shaped by business availability. That can create a dangerous gap between public disclosure and completed remediation.

NHS England’s warning is especially relevant because the health and care sector depends on remote access, mobile workflows, and distributed service delivery. Even where an affected appliance is not used directly inside a clinical environment, compromise of access infrastructure can support ransomware staging, credential theft, and movement into administrative systems that clinical services rely on.

European organisations should identify exposed Sentry deployments and confirm whether they run vulnerable versions. Where exposure exists, response teams should preserve relevant logs, review administrative account creation, check for command execution indicators, and validate whether the appliance has been used as a pivot point.

Patching closes the known software exposure, but it should not end the response where exploitation is plausible. Security infrastructure can become attacker infrastructure when it is left exposed and trusted without verification.

×