Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
Threat actors have begun actively exploiting a critical Ivanti Sentry command injection vulnerability just days after a proof-of-concept (PoC) exploit was made public, according to new internet scanning data from the Shadowserver Foundation. The flaw, tracked as CVE-2026-10520, carries a maximum CVSS score of 10.0 and allows remote, unauthenticated attackers to achieve root-level remote code […] The post Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release appeared f
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release
By Abinaya
June 11, 2026
Threat actors have begun actively exploiting a critical Ivanti Sentry command injection vulnerability just days after a proof-of-concept (PoC) exploit was made public, according to new internet scanning data from the Shadowserver Foundation.
The flaw, tracked as CVE-2026-10520, carries a maximum CVSS score of 10.0 and allows remote, unauthenticated attackers to achieve root-level remote code execution (RCE) on vulnerable Ivanti Sentry appliances.
A second issue, CVE-2026-10523, was also addressed in Ivanti’s June 9 security advisory. The vulnerability is classified under CWE-78 (OS Command Injection) and affects Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0, and earlier.
Ivanti has released patched versions 10.5.2, 10.6.2, and 10.7.1 to address the issue. Although Ivanti stated it was not aware of active exploitation at the time of disclosure, real-world attacks quickly followed the release of public exploit code.
Ivanti Command Injection Vulnerability Exploit
Shadowserver reported a surge in exploitation attempts observed across the internet. According to telemetry shared by the organization, at least 19 vulnerable Sentry instances were identified during scanning activity.
More concerning, at least two of these systems were confirmed to be backdoored, indicating successful compromise.
Researchers warned that the actual number of affected systems is likely higher, as some instances may be inaccessible to external scans due to filtering or network restrictions.
“If you have not patched, you are most likely compromised,” Shadowserver noted, highlighting the speed at which attackers weaponized the vulnerability.
Further intelligence suggests that attackers are deploying backdoors and injecting malicious code into compromised systems.
Shadowserver has begun sharing indicators through its Vulnerable HTTP and Compromised Website reporting feeds, tagging affected systems with identifiers such as “cve-2026-10520” and “ivanti-sentry,injected-code,backdoor.”
WE ARE OBSERVING A LARGE AMOUNT OF IVANTI SENTRY CVE-2026-10520 EXPLOITATION ATTEMPTS BASED ON THE PUBLIC POC TODAY. WE SEE 19 VULNERABLE INSTANCES IN OUR OWN SCANS, WITH AT LEAST 2 BACKDOORED (THANKS TO @NCA_KSA FOR THE TIP!). HOWEVER, ALL REMAINING LIKELY COMPROMISED TOO. PIC.TWITTER.COM/UMGYSYLZTV
— The Shadowserver Foundation (@Shadowserver) June 10, 2026
The rapid transition from disclosure to exploitation underscores a recurring trend in critical edge-device vulnerabilities, where internet-facing systems become immediate targets once exploit details are publicly available.
Ivanti Sentry is widely used in enterprise environments for secure mobile device and email management, making it a high-value target for attackers seeking initial access into corporate networks.
Organizations using Ivanti Sentry are strongly advised to upgrade to a patched version immediately. Ivanti has provided updated installation images and upgrade packages through its customer download portal.
Security teams should also conduct compromise assessments, including checking for unauthorized access, suspicious processes, and persistence mechanisms, particularly on internet-exposed appliances.
Given the presence of confirmed backdoors in the wild, incident response actions such as credential rotation, log analysis, and system integrity checks are recommended even after patching.
The incident highlights the critical need for rapid patching and continuous monitoring of edge infrastructure, especially as threat actors increasingly automate the exploitation of newly disclosed vulnerabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days
Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser
Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials
Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems
ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables
Latest News
Cyber Security News
Oracle Emergency Security Update to Fix Critical RCE Vulnerability
Cyber Security
GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
Cyber Security News
Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks
Cyber Security News
Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script
Cyber Security News
Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs