CISA orders feds to patch actively exploited Ivanti flaw by Sunday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04.

Tracked as CVE-2026-10520, this maximum-severity vulnerability was found in Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness.

On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online.

Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks.

While Shadowserver now tracks just over 50 Sentry admin portals exposed online, it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren't already patched are likely compromised.