Ivanti Sentry contains a critical OS command injection flaw that permits unauthenticated remote attackers to execute commands at the root level when the appliance is unmanaged and internet-facing. The vulnerability is mitigated by mTLS or restricted HTTPS configurations. CISA has added this to the Known Exploited Vulnerabilities catalog with a patching deadline of June 14, 2026.

Why it matters in Western Canada: Ivanti Sentry is commonly deployed by Canadian public sector, higher-education, and healthcare organizations for mobile device management. Unpatched instances expose Western Canadian institutions to direct remote compromise and potential ransomware deployment.

CVEs: CVE-2026-10520

---

Summary generated from the original advisory. Read the full source: cisa-kev