Executive Summary
In June 2026, Fortinet, Ivanti, and ServiceNow (via Ivanti Sentry) released urgent security updates addressing multiple critical vulnerabilities. These flaws enable unauthenticated remote code execution, authentication bypass, and administrative takeover. Notably, active exploitation of Ivanti Sentry (formerly MobileIron Sentry) has been observed in the wild, with public proof-of-concept (PoC) code available and at least two confirmed backdoored instances. The most severe vulnerability, CVE-2026-10520, has been confirmed by CISA as actively exploited and added to the Known Exploited Vulnerabilities (KEV) catalog on June 11, 2026. Organizations using affected products are strongly urged to patch immediately and review exposure of management interfaces.
Technical Information
The vulnerabilities disclosed and patched in June 2026 affect critical infrastructure components in enterprise environments. The most severe issues are found in Ivanti Sentry and Fortinet FortiSandbox products.
CVE-2026-10520 is an OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry), allowing remote, unauthenticated attackers to execute arbitrary commands as root by sending crafted HTTP POST requests to the /mics/api/v2/sentry/mics-config/handleMessage endpoint. This vulnerability is trivial to exploit, with public PoC code available, and has been observed in active attacks. The vulnerability affects all Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. The attack surface is exposed when the management port (8443) is accessible from the internet, which is strongly discouraged in production environments.
CVE-2026-10523 is an authentication bypass in Ivanti Sentry that allows remote attackers to create arbitrary administrative accounts, leading to full administrative takeover. While no exploitation has been confirmed in the wild as of June 2026, the risk is critical due to the ease of exploitation and potential impact.
CVE-2026-25089 is an OS command injection vulnerability in Fortinet FortiSandbox. Unauthenticated attackers can execute arbitrary OS commands via crafted HTTP requests to the web UI. This affects FortiSandbox versions 5.0.0–5.0.5, 4.4.0–4.4.8, FortiSandbox Cloud 5.0.4–5.0.5, and FortiSandbox PaaS 5.0.4–5.0.5. No public exploitation has been reported as of June 2026.
ServiceNow is mentioned due to its integration with Ivanti Sentry, but no direct vulnerabilities were reported for ServiceNow in this batch.
Exploitation in the Wild
CVE-2026-10520 in Ivanti Sentry is confirmed as actively exploited. The Shadowserver Foundation has observed a large number of exploitation attempts based on public PoC code, with at least two vulnerable instances confirmed as backdoored. Attackers leverage the exposed management port (8443) to send malicious POST requests to the vulnerable endpoint, achieving root-level remote code execution. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on June 11, 2026, confirming the urgency of remediation.
For CVE-2026-10523 and CVE-2026-25089, there are currently no public reports of exploitation in the wild. However, the criticality and ease of exploitation warrant immediate attention.
APT Groups using this vulnerability
As of June 2026, there is no specific attribution of these vulnerabilities to named APT groups. However, similar vulnerabilities in Ivanti and Fortinet products have historically been exploited by state-sponsored actors such as APT41, UNC4841, and other advanced persistent threat groups targeting government, critical infrastructure, and enterprise sectors globally. The presence of public PoC code and active exploitation increases the likelihood of adoption by both sophisticated and opportunistic threat actors.
Affected Product Versions
The affected products and versions are as follows: Fortinet FortiSandbox versions 5.0.0 through 5.0.5 (fixed in 5.0.6+), 4.4.0 through 4.4.8 (fixed in 4.4.9+), FortiSandbox Cloud 5.0.4 through 5.0.5 (fixed in 5.0.6+), and FortiSandbox PaaS 5.0.4 through 5.0.5 (fixed in 5.0.6+). Ivanti Sentry (formerly MobileIron Sentry) versions prior to R10.5.2, R10.6.2, and R10.7.1 are vulnerable to both CVE-2026-10520 and CVE-2026-10523. No direct vulnerabilities were reported for ServiceNow in this batch.
Workaround and Mitigation
For Ivanti Sentry, organizations must immediately patch to R10.5.2, R10.6.2, or R10.7.1 or later. It is critical to ensure that management interfaces (port 8443) are not exposed to the internet. Administrators should monitor for unauthorized admin account creation and unexpected root processes, and review logs for suspicious POST requests to /mics/api/v2/sentry/mics-config/handleMessage.
For Fortinet FortiSandbox, patch to version 5.0.6+ (or 4.4.9+ for 4.4.x). Audit access logs for suspicious HTTP requests to the web UI and restrict access to trusted networks only.
General best practices include restricting management interfaces to internal networks, enforcing strong authentication, and monitoring for anomalous activity.
Indicators of Compromise
The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement. No public indicators of compromise were available at the time of writing.
References
TheHackerNews: Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities, Shadowserver Foundation X Post, CISA KEV Catalog, watchTowr Labs PoC, Rapid7 Analysis, Fortinet Advisory, Ivanti Advisory
Rescana is here for you
Rescana empowers organizations to proactively manage third-party risk with our advanced TPRM platform, providing continuous monitoring, automated risk assessments, and actionable intelligence to strengthen your cybersecurity posture. For any questions or further assistance, we are happy to help at info@rescana.com.


