The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04.
Tracked as CVE-2026-10520, this maximum-severity vulnerability was found in Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and stems from an OS command injection weakness.
Ivanti has yet to update its advisory to warn that CVE-2026-10520 is under active exploitation, and an Ivanti spokesperson has not responded when contacted by BleepingComputer for further details on these ongoing attacks.
While Shadowserver now tracks just over 50 Sentry admin portals exposed online, it says the number of Internet-exposed Ivanti Sentry instances it can detect is likely limited by organizations blocking its security scanner, and warns that systems that weren't already patched are likely compromised.
"We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today," it said.
"While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?), if you have not patched now you are most likely compromised."
On Thursday, CISA also confirmed that the CVE-2026-10520 vulnerability is now actively exploited in attacks and added it to its Known Exploited Vulnerabilities Catalog (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their Ivanti Sentry instances within three days, as required by Binding Operational Directive (BOD) 26-04.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines."
BOD 26-04 was issued on Wednesday (superseding and revoking the older BOD 19-02 and BOD 22-01), and it requires U.S. federal agencies to prioritize patching if the asset is publicly exposed online, if the security flaw was added to CISA's KEV catalog, if exploitation can be automated for large-scale attacks, and if successful exploitation gives attackers partial or total control of a targeted system.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
