CISA orders feds to patch actively exploited Ivanti flaw by Sunday
CISA orders federal agencies to patch actively exploited Ivanti Sentry flaw by Sunday.
Summary
CISA has issued a Binding Operational Directive (BOD) 26-04, mandating U.S. federal agencies to patch a critical Ivanti Sentry vulnerability (CVE-2026-10520) within three days. The flaw, an OS command injection weakness, is already being actively exploited in the wild, with attackers backdooring exposed Sentry gateways. This directive underscores the urgency for agencies to address publicly exposed systems with known exploited vulnerabilities.
Full text
CISA orders feds to patch actively exploited Ivanti flaw by Sunday By Sergiu Gatlan June 12, 2026 04:26 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04. Tracked as CVE-2026-10520, this maximum-severity vulnerability was found in Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness. On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online. Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks. While Shadowserver now tracks just over 50 Sentry admin portals exposed online, it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren't already patched are likely compromised. "We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said. "While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised." Internet-exposed Ivanti Sentry admin portals (Shadowserver) On Thursday, CISA also confirmed that the CVE-2026-10520 vulnerability is now actively exploited in attacks and added it to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Ivanti Sentry instances within three days, as required by Binding Operational Directive (BOD) 26-04. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines." BOD 26-04 was issued on Wednesday (superseding and revoking the older BOD 19-02 and BOD 22-01), and it requires U.S. federal agencies to prioritize patching if the asset is publicly exposed online, if the security flaw was added to CISA's KEV catalog, if exploitation can be automated for large-scale attacks, and if successful exploitation gives attackers partial or total control of a targeted system. While CVE-2026-10520 is the first vulnerability for which BOD 26-04 applies, in recent weeks CISA has ordered federal agencies to patch other security flaws within three days, including a Check Point VPN zero-day, a high-severity Oracle WebLogic Server vulnerability exploited in the wild, and an actively exploited cPanel plugin flaw. Over the past several years, CISA has flagged 35 vulnerabilities across a wide range of Ivanti products that have been abused in attacks, with 12 targeted by ransomware gangs. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Max severity Ivanti Sentry vulnerability now exploited in attacksExploit released for Ivanti Sentry bug abused as zero-day in attacksIvanti warns of new actively exploited MobileIron zero-day bugCISA orders feds to patch exploited Ivanti EPMM flaw by SaturdayCISA gives feds three days to patch Ivanti flaw exploited as zero-day
Indicators of Compromise
- cve — CVE-2026-10520