Ivanti Patches Max-Severity Sentry Flaw Enabling Remote Code Execution as Root

Ivanti has disclosed and patched two critical vulnerabilities in its Sentry secure mobile gateway — including a maximum-severity flaw that allows unauthenticated remote attackers to execute arbitrary code as root. If Sentry is in your environment, this is a patch-now situation, not a patch-next-sprint one.

What Happened

Ivanti published an advisory covering two critical vulnerabilities in Sentry, its mobile device management gateway that brokers connections between enterprise MDM systems and backend corporate infrastructure. One flaw carries a maximum CVSS score — the highest possible severity rating — and enables remote code execution with root privileges. The second is also rated critical. Patches are available and Ivanti is urging immediate deployment.

Why It Matters

Ivanti appliances have been among the most aggressively targeted enterprise security products over the past two years. Multiple prior Connect Secure and Policy Secure vulnerabilities were weaponized as zero-days within days of disclosure — in several cases before patches existed — by threat actors including nation-state groups deploying webshells, harvesting credentials, and establishing persistent footholds.

A CVSS 10 unauthenticated RCE as root means complete appliance compromise with no user interaction required. From that position, an attacker controls the gateway itself: they can intercept MDM traffic, harvest device credentials, pivot into internal networks, and silently tamper with mobile policy enforcement. Sentry's position at the edge of mobile infrastructure makes exploitation particularly dangerous and difficult to detect.

The pattern here is not speculative — it is documented. Treating this disclosure as routine would be a serious operational risk.

What To Do

Patch immediately. Consult Ivanti's advisory for version-specific patch instructions. Internet-accessible appliances should be patched before any other scheduled maintenance.

Restrict management interfaces now. If Sentry's admin or API surfaces are reachable from the public internet, block them at the firewall immediately — this buys time while patching is expedited.

Audit recent access logs. Look for anomalous API calls, unexpected outbound connections from the appliance, or unfamiliar processes. Given Ivanti's exploitation history, assume the gap between patch release and active weaponization is measured in days, not weeks.

Monitor for IOCs. Ivanti and major threat intel vendors typically publish indicators of compromise within 24–48 hours of high-profile disclosures. Subscribe to Ivanti's security advisories if you haven't already.

If patching cannot happen immediately, isolate the appliance from internet-facing segments and treat it as potentially compromised until remediation is complete.