CISA orders feds to patch actively exploited Ivanti flaw by Sunday

At a glance:

• CISA issued Binding Operational Directive 26-04 requiring federal civilian agencies to patch Ivanti Sentry CVE-2026-10520 within three days.
• Shadowserver observed widespread exploitation attempts against the OS command injection flaw, warning unpatched gateways are likely compromised.
• The directive adds the flaw to CISA's Known Exploited Vulnerabilities catalog and supersedes earlier directives BOD 19-02 and BOD 22-01.

CISA issues emergency patch order for Ivanti Sentry

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 26-04 on Wednesday, mandating that all Federal Civilian Executive Branch (FCEB) agencies secure their Ivanti Sentry instances within three calendar days. The directive applies because the vulnerability is publicly exposed, listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, can be automated for large‑scale attacks, and grants attackers partial or total control of the targeted system. This marks the first time BOD 26-04 has been invoked since it superseded and revoked the older BOD 19-02 and BOD 22-01.

CISA warned that "this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," urging agencies to follow the applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. The agency also emphasized that stakeholders must evaluate each asset's internet exposure and ensure adherence to the patching guidelines.

Shadowserver detects active exploitation in the wild

Shadowserver, an Internet security watchdog, reported on Wednesday that attackers had already backdoored many of the Sentry gateways exposed online, just one day after Ivanti released patches for CVE-2026-10520. The organization tracks just over 50 Sentry admin portals reachable in its scans, but cautions that the true number of exposed instances is likely higher because many organizations block its security scanner. "We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," Shadowserver said.

The watchdog added, "While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised." This assessment underscores the urgency for any organization running the gateway to apply the vendor's fixes immediately.

Ivanti response and advisory status

Ivanti issued patches for CVE-2026-10520 on Tuesday and stated it had no evidence of in‑the‑wild exploitation at that time, yet the company has not updated its advisory to reflect the active exploitation reported by Shadowserver. An Ivanti spokesperson did not respond to requests for comment on the ongoing attacks, leaving customers without a clear vendor acknowledgment of the threat level. The flaw resides in the Ivanti Sentry security gateway appliance, formerly known as MobileIron Sentry, and stems from an OS command injection weakness.

Historically, CISA has flagged 35 vulnerabilities across a wide range of Ivanti products that have been abused in attacks, with 12 of those targeted by ransomware gangs. This pattern highlights the recurring risk posed by the vendor's gateway and endpoint management solutions to both public and private sector networks.

Broader federal patching campaign and implications

In recent weeks CISA has ordered federal agencies to patch other critical flaws within the same three‑day window, including a Check Point VPN zero‑day, a high‑severity Oracle WebLogic Server vulnerability exploited in the wild, and an actively exploited cPanel plugin flaw. The agency's rapid‑response posture reflects a shift toward mandatory, time‑bound remediation for vulnerabilities that meet the BOD 26-04 criteria. These actions collectively raise the baseline for federal cyber hygiene and pressure vendors to accelerate disclosure and patch cycles.

Security teams should monitor the KEV catalog for new entries, validate that all internet‑facing Ivanti Sentry instances are patched, and consider network segmentation or zero‑trust controls for any legacy gateways that cannot be updated promptly. The ongoing exploitation of CVE-2026-10520 serves as a reminder that even appliances marketed as security gateways can become primary attack vectors when vulnerabilities are left unaddressed.