CISA Orders Emergency Patching of Actively Exploited Ivanti Sentry Vulnerability

Federal agencies have just three days to secure exposed Ivanti Sentry systems as attackers actively target a critical flaw capable of remote code execution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch a critical Ivanti Sentry vulnerability. The agency confirmed that attackers are actively exploiting the flaw in real-world attacks.

Tracked as CVE-2026-10520, the vulnerability carries a maximum severity rating. It affects Ivanti Sentry, the security gateway formerly known as MobileIron Sentry. Attackers can exploit the flaw through an operating system command injection weakness. As a result, they may execute unauthorized commands on vulnerable systems.

Exploitation Activity Accelerates

The threat escalated quickly after Ivanti released security updates. Initially, the company reported no evidence of active exploitation. However, security researchers soon observed large numbers of attack attempts targeting exposed Ivanti Sentry deployments.

Researchers also identified signs that several internet-facing systems had already been compromised. In some cases, attackers appeared to have installed backdoors that could provide persistent access.

Security monitoring organizations reported a surge in scanning and exploitation activity. Furthermore, publicly available proof-of-concept code likely accelerated attacks against unpatched systems.

CISA Invokes New Emergency Directive

In response, CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities (KEV) Catalog. The agency also applied the requirements of its newly introduced Binding Operational Directive 26-04.

Under this directive, Federal Civilian Executive Branch agencies must remediate the vulnerability within three days. The order highlights the seriousness of the threat and the potential impact of successful exploitation.

CISA warned that vulnerabilities of this type remain a common attack vector. Threat actors often target internet-facing security appliances because they provide direct access to critical infrastructure.

Why Organizations Should Act Immediately

Security experts warn that organizations delaying patch deployment face significant risks. Attackers often move quickly after vulnerability details become public. Therefore, the time available for defensive action continues to shrink.

Organizations running Ivanti Sentry should patch affected systems immediately. Additionally, security teams should review logs, investigate unusual activity, and conduct threat-hunting exercises. These steps can help identify potential compromises before attackers expand their access.

Internet-facing security products require continuous monitoring. They also demand strong vulnerability management practices and rapid incident response procedures.

A Continuing Trend for Ivanti Products

This incident marks the first vulnerability addressed under CISA's updated BOD 26-04 framework. The directive prioritizes vulnerabilities that meet specific risk criteria. These include active exploitation, internet exposure, large-scale attack potential, and the possibility of system takeover.

Ivanti products have faced repeated targeting in recent years. CISA has added dozens of Ivanti vulnerabilities to its Known Exploited Vulnerabilities Catalog. Several of those flaws have also been linked to ransomware attacks and advanced cyber espionage campaigns.

The latest incident serves as another reminder that patch management remains a critical security function. Organizations that respond quickly can significantly reduce their exposure to emerging threats.