CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

Threat actors have begun actively exploiting a critical Ivanti Sentry command injection vulnerability just days after a proof-of-concept (PoC) exploit was made public, according to new internet scanning data from the Shadowserver Foundation. The flaw, tracked as CVE-2026-10520, carries a maximum CVSS score of 10.0 and allows remote, unauthenticated attackers to achieve root-level remote code […] The post Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release appeared f

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release By Abinaya June 11, 2026 Threat actors have begun actively exploiting a critical Ivanti Sentry command injection vulnerability just days after a proof-of-concept (PoC) exploit was made public, according to new internet scanning data from the Shadowserver Foundation. The flaw, tracked as CVE-2026-10520, carries a maximum CVSS score of 10.0 and allows remote, unauthenticated attackers to achieve root-level remote code execution (RCE) on vulnerable Ivanti Sentry appliances. A second issue, CVE-2026-10523, was also addressed in Ivanti’s June 9 security advisory. The vulnerability is classified under CWE-78 (OS Command Injection) and affects Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0, and earlier. Ivanti has released patched versions 10.5.2, 10.6.2, and 10.7.1 to address the issue. Although Ivanti stated it was not aware of active exploitation at the time of disclosure, real-world attacks quickly followed the release of public exploit code. Ivanti Command Injection Vulnerability Exploit Shadowserver reported a surge in exploitation attempts observed across the internet. According to telemetry shared by the organization, at least 19 vulnerable Sentry instances were identified during scanning activity. More concerning, at least two of these systems were confirmed to be backdoored, indicating successful compromise. Researchers warned that the actual number of affected systems is likely higher, as some instances may be inaccessible to external scans due to filtering or network restrictions. “If you have not patched, you are most likely compromised,” Shadowserver noted, highlighting the speed at which attackers weaponized the vulnerability. Further intelligence suggests that attackers are deploying backdoors and injecting malicious code into compromised systems. Shadowserver has begun sharing indicators through its Vulnerable HTTP and Compromised Website reporting feeds, tagging affected systems with identifiers such as “cve-2026-10520” and “ivanti-sentry,injected-code,backdoor.” WE ARE OBSERVING A LARGE AMOUNT OF IVANTI SENTRY CVE-2026-10520 EXPLOITATION ATTEMPTS BASED ON THE PUBLIC POC TODAY. WE SEE 19 VULNERABLE INSTANCES IN OUR OWN SCANS, WITH AT LEAST 2 BACKDOORED (THANKS TO @NCA_KSA FOR THE TIP!). HOWEVER, ALL REMAINING LIKELY COMPROMISED TOO. PIC.TWITTER.COM/UMGYSYLZTV — The Shadowserver Foundation (@Shadowserver) June 10, 2026 The rapid transition from disclosure to exploitation underscores a recurring trend in critical edge-device vulnerabilities, where internet-facing systems become immediate targets once exploit details are publicly available. Ivanti Sentry is widely used in enterprise environments for secure mobile device and email management, making it a high-value target for attackers seeking initial access into corporate networks. Organizations using Ivanti Sentry are strongly advised to upgrade to a patched version immediately. Ivanti has provided updated installation images and upgrade packages through its customer download portal. Security teams should also conduct compromise assessments, including checking for unauthorized access, suspicious processes, and persistence mechanisms, particularly on internet-exposed appliances. Given the presence of confirmed backdoors in the wild, incident response actions such as credential rotation, log analysis, and system integrity checks are recommended even after patching. The incident highlights the critical need for rapid patching and continuous monitoring of edge infrastructure, especially as threat actors increasingly automate the exploitation of newly disclosed vulnerabilities. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables Latest News Cyber Security News Oracle Emergency Security Update to Fix Critical RCE Vulnerability Cyber Security GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Cyber Security News Hackers Abuse VMware-Signed Binary to Sideload NIGHTFORGE Loader in Espionage Attacks Cyber Security News Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Cyber Security News Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗