- June 10, 2026
Critical Vulnerabilities in Ivanti Sentry & EPMM (CVE-2026-6973, CVE-2026-10727, CVE-2026-10520, CVE-2026-10523)
Ivanti published two advisories covering 4 CVEs across their Endpoint Manager Mobile (EPMM) and Ivanti Sentry products that range from authentication bypass to remote code execution.
Executive Summary
On June 9th, Ivanti published two advisories concerning four vulnerabilities (tracked as CVE-2026-6973, CVE-2026-10727, CVE-2026-10520, CVE-2026-10523) in their Endpoint Manager Mobile (EPMM) and Ivanti Sentry products. The vulnerabilities range from authentication bypass and control plane modification to complete remote code execution (RCE) across the product lines. Detailed descriptions of the specific CVEs are listed in the Affected Systems and Products below.
As of the time of writing, technical details of the vulnerabilities are limited. However, Ivanti has released patches and updates to EPMM and Sentry documented in the Patches section below. Ivanti has stated that it has not observed attacks in the wild leveraging these vulnerabilities. However, KEV has already identified CVE-2026-6973 as being actively exploited in the wild. Beazley Security expects threat actors who are not already in possession of private weaponized exploits to study these patches and deploy their own exploits in the coming days. Beazley Security strongly recommends affected organizations apply the vendor supplied security fixes as soon as possible.
Affected Systems or Products
Product | Affected Version | Fixed Version |
|---|---|---|
Ivanti Endpoint Manager Mobile (EPMM) | 12.9.0 and prior 12.8.0.2 and prior 12.7.0.1 and prior | 12.9.0.1 12.8.0.3 12.7.0.2 |
Ivanti Sentry | 10.7.0 and prior 10.6.1 and prior 10.5.1 and prior | 10.7.1 10.6.2 10.5.1 |
CVE Number | Product Line | Description | CVSS Vector & Base Score |
|---|---|---|---|
CVE-2026-6973 | EPMM | A configuration control vulnerability that allows an authenticated attacker to inject arbitrary Apache directives that enable RCE | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2 |
CVE-2026-10727 | EPMM | An OS command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as root | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2 |
CVE-2026-10520 | Sentry | An OS command injection that allows a remote unauthenticated user to achieve RCE as root | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 10 |
CVE-2026-10523 | Sentry | An authentication bypass vulnerability that allows a remote unauthenticated user to create administrative accounts and obtain full administrative access to the Sentry Instance | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 9.9 |
Mitigations / Workarounds
No mitigations or workarounds aside from the available security patches have been provided from Ivanti.
Patches
Ivanti provided software patches at the time of disclosure for the affected versions listed above. The patches are in RPM package format for upgrades and require authenticated access to the Ivanti Download Portal. Short instructions for where to get the patches and how to install the patch packages can be found in the advisories for EPMM and Sentry.
Indicators of Compromise
At the time of the disclosure, no in-depth technical details were provided by Ivanti; however, given the nature of the exploits resulting in administrative access to the host machine, any logs that could be used to identify a compromised host may be altered or removed. It is for this reason that timely updates to the affected systems are applied before these vulnerabilities are weaponized and used in the wild.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.