Max-Severity Ivanti Sentry RCE Is Being Actively Exploited — Patch Now

A maximum-severity vulnerability in Ivanti Sentry is being actively exploited in the wild, according to BleepingComputer. The flaw — rated CVSS 10.0 — allows unauthenticated attackers to execute arbitrary code with root privileges on internet-exposed Sentry appliances. The patch exists. Threat actors are already using it to get in.

What Happened

Ivanti disclosed and patched a critical vulnerability in Sentry, its secure mobile gateway product that brokers access between mobile devices and backend systems like Exchange ActiveSync and Kerberos. Shortly after the patch was published, confirmed exploitation began in the wild. Ivanti has a documented pattern here: in 2024, Connect Secure, Policy Secure, and Sentry itself were all hit by zero-days that triggered CISA emergency directives and widespread enterprise compromise. The current situation follows the same arc — a patch drops, and within days attackers are already through the door.

Why It Matters

Sentry sits at a privileged position in enterprise networks. It terminates mobile device connections and proxies them into internal infrastructure. Root-level code execution on a Sentry appliance gives an attacker:

• The ability to intercept and manipulate all mobile device traffic passing through the gateway
• A direct pivot path to Exchange, Active Directory, or any internal service Sentry is peered with
• Persistence through reboots via root-level implants or cron-based backdoors

Any organization using Sentry for ActiveSync brokering, Kerberos constrained delegation, or AppTunnel is in scope. If your Sentry management interface is internet-reachable at all — even on a non-standard port — treat this as a live incident until you have confirmed the patch is applied.

What to Do

Patch immediately. Pull the fix from Ivanti's security advisory portal and apply it now. If patching cannot happen in the next few hours, firewall the admin interface to trusted IPs only and isolate the appliance from critical backend systems as a temporary measure.

Assume breach if you were exposed before patching. Hunt for signs of post-exploitation compromise:

• Unexpected processes or cron jobs running as root
• New entries in /root/.ssh/authorized_keys or modified SSH daemon config
• Outbound connections from the Sentry host to unknown external IPs
• Anomalous entries in Sentry audit logs, particularly admin API calls

Verify your external exposure. Confirm whether your Sentry admin port is directly internet-accessible using your external attack surface tooling or a quick port scan from outside your perimeter. Admin interfaces for edge appliances should never be publicly reachable regardless of patch status.

Check for lateral movement. If the appliance could have been compromised before patching, treat the systems it can reach as potentially touched. Review authentication logs on Exchange and Active Directory for unusual service account activity in the past several weeks.

Unauthenticated RCE with root access on a network edge appliance is a top-tier initial access primitive for ransomware groups and state-sponsored actors alike. This one is confirmed in active use right now.