A recently patched maximum-severity vulnerability in Ivanti Sentry is being actively exploited in the wild.
Ivanti Sentry is a secure mobile gateway appliance used to protect communications between corporate systems and remote devices.
The flaw, tracked as CVE-2026-10520, is an OS command injection vulnerability that allows attackers to execute arbitrary code with root privileges on exposed Ivanti Sentry systems. Ivanti addressed the issue with the release of Sentry versions R10.5.2, R10.6.2, and R10.7.1.
Ivanti said in its advisory that it has no evidence of active exploitation, however, nonprofit security organization Shadowserver reported that attackers had already compromised and backdoored some of publicly accessible Sentry gateways.
While only a limited number of internet-facing instances have been identified, researchers warn the actual number may be higher due to search engine blocklisting.
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today. We see 19 vulnerable instances in our own scans, with at least 2 backdoored,” Shadowserver said. “While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched you are most likely compromised.”
Furthermore, the US cybersecurity agency CISA has also listed the flaw as actively exploited, without mentioning in what kind of attacks the vulnerability was abused.
Meanwhile, Oracle has issued an alert regarding a critical vulnerability in PeopleSoft PeopleTools, tracked as CVE-2026-35273. The flaw enables unauthenticated remote code execution and is reportedly being exploited in data theft campaigns linked to the ShinyHunters threat group. At the same time, CISA indicated that the issue is known to have been exploited in ransomware attacks.
Oracle confirmed that the vulnerability affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The company has released emergency mitigations and said a security patch will be made available soon.
Separately, Palo Alto Networks said it has observed active exploitation of a PAN-OS authentication bypass vulnerability (CVE-2026-0257) in attacks orchestrated by an unknown threat actor attempting to access GlobalProtect.
"No post-access behavior or lateral movement has been identified as of this time. Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events," the company said in a security advisory. The vendor has also provided Indicators of Compromise (IoCs) linked to the threat so companies could review and activate incident response.