Ivanti Sentry has two critical vulnerabilities disclosed June 10, 2026: CVE-2026-10520 enables unauthenticated root-level remote code execution via OS command injection, and CVE-2026-10523 enables authentication bypass. Both carry a CVSS of 9.8. No active exploitation has been publicly reported as of the analysis date, but EPSS scores are expected to rise as threat intelligence feeds update, and CISA KEV addition is anticipated within two to three weeks given Ivanti’s prior vulnerability history.