Ivanti Command Injection Vulnerability Exploited After PoC

Active exploitation of a critical Ivanti Sentry command injection vulnerability is now underway, mere days after a public proof-of-concept (PoC) exploit became available. New internet scanning data from the Shadowserver Foundation confirms this activity.

The flaw, tracked as CVE-2026-10520, carries a maximum CVSS score of 10.0 and allows remote, unauthenticated attackers to achieve root-level remote code execution (RCE) on vulnerable Ivanti Sentry appliances.

A second issue, CVE-2026-10523, was also addressed in Ivanti’s June 9 security advisory. The vulnerability is classified under CWE-78 (OS Command Injection) and affects Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0, and earlier.

Ivanti has released patched versions 10.5.2, 10.6.2, and 10.7.1 to address the issue. Although Ivanti stated it was not aware of active exploitation at the time of disclosure, real-world attacks quickly followed the release of public exploit code.

Ivanti Command Injection Vulnerability Exploit

Shadowserver reported a surge in exploitation attempts observed across the internet. According to telemetry shared by the organization, at least 19 vulnerable Sentry instances were identified during scanning activity.

More concerning, at least two of these systems were confirmed to be backdoored, indicating successful compromise.

Researchers warned that the actual number of affected systems is likely higher, as some instances may be inaccessible to external scans due to filtering or network restrictions.

“If you have not patched, you are most likely compromised,” Shadowserver noted, highlighting the speed at which attackers weaponized the vulnerability.

Further intelligence suggests that attackers are deploying backdoors and injecting malicious code into compromised systems.

Shadowserver has begun sharing indicators through its Vulnerable HTTP and Compromised Website reporting feeds, tagging affected systems with identifiers such as “cve-2026-10520” and “ivanti-sentry,injected-code,backdoor.”

The rapid transition from disclosure to exploitation underscores a recurring trend in critical edge-device vulnerabilities, where internet-facing systems become immediate targets once exploit details are publicly available.

Ivanti Sentry is widely used in enterprise environments for secure mobile device and email management, making it a high-value target for attackers seeking initial access into corporate networks.

Organizations using Ivanti Sentry are strongly advised to upgrade to a patched version immediately. Ivanti has provided updated installation images and upgrade packages through its customer download portal.

Security teams should also conduct compromise assessments, including checking for unauthorized access, suspicious processes, and persistence mechanisms, particularly on internet-exposed appliances.

Given the presence of confirmed backdoors in the wild, incident response actions such as credential rotation, log analysis, and system integrity checks are recommended even after patching.

The incident highlights the critical need for rapid patching and continuous monitoring of edge infrastructure, especially as threat actors increasingly automate the exploitation of newly disclosed vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.