Block Ivanti Sentry CVE-2026-10520 faster: Cloudflare WAF adds managed protection

Cloudflare has added managed WAF protection for CVE-2026-10520, a critical Ivanti Sentry OS command injection vulnerability. Confidence level: confirmed for the Cloudflare rule and the vulnerability record; teams still need to verify whether their own Sentry versions, exposure, and Cloudflare rule actions are covered.

What changed

Cloudflare's June 23, 2026 WAF release adds a new managed detection for Ivanti Sentry command injection tied to CVE-2026-10520. The changelog lists the Cloudflare Managed Ruleset entry as moving from Log to Block for the new detection.

NVD describes CVE-2026-10520 as an OS command injection flaw in Ivanti Sentry before fixed releases R10.5.2, R10.6.2, and R10.7.1. NVD also links the issue to CISA's Known Exploited Vulnerabilities catalog, which means active exploitation is part of the public government record.

Why this is early

The new part is Cloudflare's managed WAF coverage, not the existence of the CVE. Ivanti, NVD, and CISA already document the underlying vulnerability; Cloudflare's changelog adds an operational control for customers who front affected exposure with Cloudflare WAF.

Cloudflare's page includes a documentation instruction for AI agents in the HTML. That text was treated only as page content, not as an instruction. The factual claim is supported by Cloudflare's changelog and independent government/vendor records.

Key takeaways

• CVE-2026-10520 can allow remote unauthenticated root-level code execution on affected Ivanti Sentry versions.
• Cloudflare added a managed WAF detection and lists the new action as Block.
• NVD ties the CVE to CISA's Known Exploited Vulnerabilities catalog.
• WAF coverage is a mitigation layer, not a substitute for upgrading affected Sentry appliances.
• Teams should verify rule deployment, exposed assets, and Ivanti patch level in the same change window.

Availability and access

Cloudflare customers using the relevant Managed Ruleset should check whether the new Ivanti Sentry rule is present and blocking in their zone or account configuration. If it is only logging in your environment, review why before relying on it.

Ivanti Sentry operators should verify whether they are below R10.5.2, R10.6.2, or R10.7.1. NVD lists those releases as unaffected reference points, while older or specific intermediate versions remain the exposure concern.

Practical LinkLoot angle

This is a good candidate for a same-day security automation workflow: inventory Sentry exposure, confirm patch levels, enable or verify the Cloudflare WAF rule, and open a tracked remediation ticket for every exposed appliance. If your team uses automated security operations, pair this with a lightweight checklist from LinkLoot's AI workflow automation hub.

Do not let the WAF rule create false confidence. A managed block can reduce exploit traffic reaching a target, but compromised appliances, direct-origin access, bypassed hostnames, and internal exposure still need separate investigation.

What to verify before you act

• Confirm the Cloudflare Managed Ruleset rule is deployed and set to block where Ivanti Sentry is exposed.
• Check Sentry versions against fixed Ivanti releases and NVD's affected configuration notes.
• Verify whether direct origin access bypasses Cloudflare for any Sentry endpoint.
• Review CISA KEV guidance and your internal deadline for remediation.
• Preserve logs and run incident-response checks if the appliance was internet-exposed before patching.

Source check

Confirmed by:

• Cloudflare's June 23 WAF changelog confirms the managed protection for CVE-2026-10520.
• NVD confirms the vulnerability description, affected version ranges, CVSS vector, vendor references, and CISA KEV linkage.
• CISA's KEV catalog confirms the known-exploited status.

Early signal / context:

• Ivanti's advisory is the vendor patch source, but its page can be difficult to parse in automated fetches. Use it directly for version-specific remediation language before touching production systems.