Summary
- NHS England Digital warned that Ivanti Sentry vulnerabilities could allow unauthenticated command injection or authentication bypass.
- CVE-2026-10520 carries a CVSS 10.0 score and was added to CISA’s Known Exploited Vulnerabilities catalogue.
- The alert is relevant to healthcare, suppliers, and organisations relying on exposed mobile or perimeter security appliances.
NHS England Digital has warned organisations to address critical Ivanti Sentry vulnerabilities after exploitation of CVE-2026-10520 was reported in the wild.
The NHS cyber alert says two vulnerabilities in Ivanti Sentry could allow unauthenticated operating system command injection or authentication bypass. The affected platforms are Ivanti Sentry versions before R10.5.2, R10.6.2, and R10.7.1.
The alert describes CVE-2026-10520 as an operating system command injection flaw with a CVSS v3 score of 10.0. Successful exploitation could allow unauthenticated attackers to execute commands with root privileges on affected systems. The second flaw, CVE-2026-10523, is an authentication bypass issue with a CVSS v3 score of 9.9 that could allow attackers to create arbitrary administrative accounts and obtain full administrative access.
NHS England’s National CSOC assessed further exploitation as almost certain after proof-of-concept exploit activity and reports of exploitation of CVE-2026-10520. The alert directs affected organisations to review Ivanti’s security advisory and apply relevant updates as soon as possible.
Ivanti Sentry, previously known as MobileIron Sentry, sits in a sensitive part of many enterprise environments. Products in this class often broker or protect access between mobile devices, applications, authentication systems, and enterprise services. When exposed or poorly isolated, compromise can give attackers a valuable position near identity, device management, and internal access paths.
Healthcare organisations rely heavily on mobile access, remote work, supplier connectivity, and systems that bridge clinical, administrative, and operational environments. A vulnerable access appliance can create a route into services where downtime, containment, and recovery have direct operational consequences.
The alert also shows how quickly risk can change after a proof of concept becomes public. Vulnerability management programmes often prioritise by severity, but exploitation status and internet exposure now have to move remediation decisions faster. A maximum-severity flaw in a boundary product with public exploit material is no longer a routine patch item.
Suppliers to healthcare carry the same operational responsibility where they run affected systems. NHS bodies depend on managed service providers, software vendors, hosting partners, and specialist technology suppliers. A vulnerable appliance in a supplier environment may expose services used by multiple trusts or health-sector partners, even if the NHS organisation does not operate the appliance directly.
The broader pattern is familiar. Attackers continue to target perimeter and management products because they offer privileged access, often lag behind standard patch cycles, and can be hard to take offline. Similar classes of products have repeatedly featured in ransomware and espionage activity, especially where organisations cannot easily rebuild, rotate credentials, or prove clean recovery.
The NHS alert does not identify affected UK organisations, nor does it say that NHS services have been compromised. The confirmed exposure profile is sufficient: a critical remotely exploitable flaw in a sensitive access technology, reported exploitation in the wild, public exploit activity, and an assessment that further exploitation is almost certain.
Affected organisations need to update, review logs, assess exposure, rotate relevant credentials where appropriate, and understand whether any third-party environments supporting their services remain vulnerable.





