The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04.
Tracked as CVE-2026-10520, this maximum-severity vulnerability was found in Ivanti’s security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness.
On Wednesday, one day after Ivanti released patches for CVE-2026-10520 and said that it had no evidence of in-the-wild exploitation, the Shadowserver Internet security watchdog reported that attackers had already backdoored many of the Sentry gateways exposed online.
Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks.
While Shadowserver now tracks just over 50 Sentry admin portals exposed online, it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren’t already patched are likely compromised.
“We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today,” it said.
“While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised.”
On Thursday, CISA also confirmed that the CVE-2026-10520 vulnerability is now actively exploited in attacks and added it to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Ivanti Sentry instances within three days, as required by Binding Operational Directive (BOD) 26-04.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the cybersecurity agency warned. “Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset’s internet exposure and ensuring adherence to BOD 26-04 patching guidelines.”
BOD 26-04 was issued on Wednesday (superseding and revoking the older BOD 19-02 and BOD 22-01), and it requires U.S. federal agencies to prioritize patching if the asset is publicly exposed online, if the security flaw was added to CISA’s KEV catalog, if exploitation can be automated for large-scale attacks, and if successful exploitation gives attackers partial or total control of a targeted system.
While CVE-2026-10520 is the first vulnerability for which BOD 26-04 applies, in recent weeks CISA has ordered federal agencies to patch other security flaws within three days, including a Check Point VPN zero-day, a high-severity Oracle WebLogic Server vulnerability exploited in the wild, and an actively exploited cPanel plugin flaw.
Over the past several years, CISA has flagged 35 vulnerabilities across a wide range of Ivanti products that have been abused in attacks, with 12 targeted by ransomware gangs.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
