CISA orders – CISA has issued a Binding Operational Directive forcing U.S. agencies to patch an actively exploited Ivanti Sentry vulnerability within three days, after the flaw was added to the Known Exploited Vulnerabilities Catalog and internet-scanning groups reported wi
By the time federal agencies received the latest warning, the exploitation had already stopped being hypothetical.
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency confirmed that the Ivanti Sentry flaw tied to CVE-2026-10520 is now actively exploited in attacks. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog. and under the newly issued Binding Operational Directive (BOD) 26-04. Federal Civilian Executive Branch (FCEB) agencies are required to secure their Ivanti Sentry instances within three days.
CVE-2026-10520 is rated maximum severity and is rooted in an operating system command injection weakness affecting Ivanti’s security gateway appliance—formerly known as MobileIron Sentry. The timing matters: on Wednesday, Ivanti released patches and said it had no evidence of in-the-wild exploitation. Just one day later, the Shadowserver Internet security watchdog reported that attackers had already backdoored many Sentry gateways exposed online.
The contradiction isn’t just academic. It’s the gap between what a vendor says it has seen and what attackers appear to be doing in real time.
Shadowserver said that while its tracking currently shows just over 50 Sentry admin portals exposed online. the true number of internet-exposed instances it can detect is likely limited by organizations blocking its security scanner. It also warned that systems that weren’t already patched are likely compromised. The watchdog added. “We are observing a large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts based on the public PoC today.” It followed with a blunt assessment: “While our detection is on the lowish side due to multiple Ivanti Sentry instances not reachable in our scans (blocklisted?). if you have not patched now you are most likely compromised.”.
Ivanti has not yet updated its advisory to warn that CVE-2026-10520 is under active exploitation. An Ivanti spokesperson did not respond when contacted for further details on the ongoing attacks.
CISA’s directive is written for urgency and scale. BOD 26-04, issued on Wednesday, supersedes and revokes the older BOD 19-02 and BOD 22-01. It requires agencies to prioritize patching when the asset is publicly exposed online. when the security flaw is added to CISA’s KEV catalog. when exploitation can be automated for large-scale attacks. and when successful exploitation gives attackers partial or total control of a targeted system. CISA also instructed agencies that if mitigations for cloud services are unavailable. they should follow the BOD 26-04 guidance for cloud services or discontinue use of the product.
The agency warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. It emphasized that stakeholders are responsible for evaluating each asset’s internet exposure and ensuring adherence to the BOD 26-04 patching guidelines.
This is not a one-off directive. In recent weeks. CISA has ordered federal agencies to patch other security flaws within three days. including a Check Point VPN zero-day. a high-severity Oracle WebLogic Server vulnerability exploited in the wild. and an actively exploited cPanel plugin flaw. Over the past several years. CISA has flagged 35 vulnerabilities across a wide range of Ivanti products abused in attacks. with 12 targeted by ransomware gangs.
The pressure facing agencies now is straightforward: even if the official patch release landed on Wednesday. the hunt for exposed Sentry gateways suggests attackers were already moving through the window between patch availability and real-world uptake. And with CISA’s KEV listing and a three-day deadline for FCEB agencies. the message is unmistakable—this time. the clock starts with the directive. not with what anyone claims to have seen.
CISA Binding Operational Directive BOD 26-04 Ivanti Sentry MobileIron Sentry CVE-2026-10520 command injection Known Exploited Vulnerabilities Catalog KEV federal agencies cybersecurity
So by Sunday they “must patch” like that’s easy? Cool, cool.
Wait I thought Ivanti already said there was no exploitation? Sounds like they were wrong or lying, idk. If it’s command injection then can someone just log in and do anything? Probably.
Binding Operational Directive sounds like the government forcing it, but also like they’re late. Didn’t patch come out Wednesday? And then by Thursday it’s already exploited… seems backwards. Also “Shadowserver” isn’t that just random people scanning? Maybe but still, if true, yikes.
Honestly I’m confused, like how do you even “secure” a gateway appliance in 3 days. If it was backdoored already then patching just fixes the door but not the fact they’re already inside right? And why is it called MobileIron Sentry now? Sounds like name changes always happen right after the mess.