Security researchers have detected active exploitation attempts targeting a critical-severity OS command injection vulnerability in Ivanti Sentry. The flaw allows attackers to execute arbitrary code with root privileges on affected systems, posing a severe risk to enterprise networks.
The vulnerability has been assigned a critical severity rating, and honeypot deployments have logged multiple exploitation attempts, indicating that threat actors are actively scanning for and targeting vulnerable Ivanti Sentry instances. The exact number of affected systems remains unclear, but the widespread use of Ivanti products in enterprise environments amplifies the potential impact.
The attack vector involves sending specially crafted requests to the Ivanti Sentry management interface, which fails to properly sanitize user input, enabling command injection. Successful exploitation grants attackers full root-level access, allowing them to install backdoors, exfiltrate data, or pivot to other systems within the network. Indicators of compromise include unexpected outbound connections from the Ivanti Sentry server and unauthorized modifications to system files.
Ivanti has released security patches for the vulnerability, and administrators are strongly urged to apply the updates immediately. In the absence of a patch, organizations should restrict network access to the Ivanti Sentry management interface and monitor for signs of compromise. No workaround has been provided for unpatched systems.
While the attacks have been observed on honeypots, no widespread compromises have been confirmed in production environments. However, given the critical nature of the vulnerability and the active scanning, the threat is significant. Security teams should prioritize patching and review Ivanti Sentry deployments for any signs of prior intrusion.