U.S. CISA Mandates Immediate Patching of Exploited Ivanti Sentry Vulnerability

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive to federal agencies to patch the Ivanti Sentry vulnerability, tracked as CVE-2026-10520, within three days. This flaw, discovered in Ivanti's security gateway appliance, allows attackers to execute commands remotely due to a command injection weakness. Despite Ivanti releasing patches and initially denying evidence of exploitation, Shadowserver has reported extensive backdoor attempts on exposed Sentry gateways. CISA's Binding Operational Directive (BOD) 26-04 underscores the critical nature of this vulnerability, emphasizing its potential for large-scale automated attacks that could grant attackers partial or total control over targeted systems.

What happened

CISA's recent directive highlights a significant security concern: CVE-2026-10520 in Ivanti Sentry. This vulnerability stems from an OS command injection flaw, enabling remote unauthenticated users to achieve root-level code execution. Initially, Ivanti denied any evidence of active exploitation following the release of patches. However, Shadowserver reported that attackers had already exploited this vulnerability on numerous exposed gateways. The urgency is compounded by CISA's addition of CVE-2026-10520 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to address it within three days under BOD 26-04.

Technical details

The technical crux of CVE-2026-10520 lies in an OS command injection vulnerability. This flaw allows attackers to execute arbitrary commands on the Ivanti Sentry appliance if it is unmanaged and its endpoints are externally reachable. The exploitation risk is heightened when the appliance lacks mTLS with EPMM or restricted HTTPS access through Neurons for MDM, making interfaces accessible to external actors. CISA's directive emphasizes that this vulnerability poses a significant threat due to its potential for automation in large-scale attacks.

Affected products and fixed versions

The affected product is Ivanti Sentry (formerly MobileIron Sentry), with vulnerabilities present in versions up to R10.5.2, R10.6.2, and R10.7.1. Patches have been released by Ivanti for these versions to mitigate the risk of exploitation.

Exploitation status

CVE-2026-10520 is confirmed as actively exploited. Shadowserver's reports indicate a surge in exploitation attempts following the public release of proof-of-concept code. CISA has also acknowledged active exploitation and included this vulnerability in its Known Exploited Vulnerabilities Catalog, underscoring the urgency for federal agencies to patch affected systems.

Indicators of compromise

While specific indicators of compromise (IOCs) are not detailed in the sources, organizations should monitor for unusual command execution patterns on their Ivanti Sentry appliances. Shadowserver's detection efforts suggest that many exposed instances have been compromised, highlighting the need for immediate patching and network monitoring.

Detection opportunities

Organizations can detect potential exploitation by monitoring network traffic for suspicious command executions originating from Ivanti Sentry devices. Implementing intrusion detection systems (IDS) with rules tailored to identify command injection patterns could provide early warning signs of compromise.

Timeline

• June 11, 2026: CISA adds CVE-2026-10520 to its Known Exploited Vulnerabilities Catalog.
• June 12, 2026: Ivanti releases patches for the vulnerability and initially denies evidence of exploitation.
• June 13, 2026: Shadowserver reports widespread exploitation attempts on exposed Ivanti Sentry gateways.
• June 14, 2026: CISA issues BOD 26-04, mandating federal agencies to patch the vulnerability within three days.

Why this matters for defenders

For defenders, the active exploitation of CVE-2026-10520 underscores the critical importance of timely patch management and network monitoring. The ability of attackers to execute remote commands on exposed Ivanti Sentry appliances poses a significant threat to organizational security. Defenders must prioritize patching vulnerable systems and enhancing detection capabilities to mitigate the risk of large-scale automated attacks.

What remains unclear

While the exploitation status of CVE-2026-10520 is confirmed, specific details about the actors behind these attacks remain undisclosed. Additionally, the full extent of compromised systems beyond those reported by Shadowserver is not yet known. Organizations should remain vigilant and conduct thorough assessments to identify any potential breaches.

Defender guidance

Defenders must act swiftly to patch all affected Ivanti Sentry appliances as per CISA's BOD 26-04 directive. Implementing network monitoring tools to detect command injection attempts and ensuring that all endpoints are managed and secured against unauthorized access is crucial. Regularly reviewing security advisories and maintaining up-to-date patches will help mitigate the risk of similar vulnerabilities in the future.