CISA Orders Feds to Patch Actively Exploited Ivanti Flaw by Sunday

The Ivanti Sentry platform, formerly known as MobileIron Sentry, serves as a security gateway for many government and enterprise environments. CVE‑2026‑10520 exploits an OS command‑injection weakness that can grant attackers arbitrary code execution, effectively handing over control of the gateway. Shadowserver’s monitoring revealed more than 50 publicly reachable admin portals, a figure that likely understates the true exposure because many organizations block scanning tools. The vulnerability’s maximum severity rating and the presence of a public proof‑of‑concept have accelerated its abuse in the wild, prompting immediate concern among cybersecurity teams.

CISA’s Binding Operational Directive 26‑04 marks a decisive policy shift, moving from advisory notices to enforceable mandates with a three‑day compliance window. This is the first BOD to apply specifically to a vulnerability added to the KEV catalog, underscoring the agency’s intent to prioritize threats that are actively exploited and can be automated at scale. The directive also replaces earlier BOD 19‑02 and BOD 22‑01, reflecting a streamlined approach that ties patching urgency to exposure, exploitation status, and potential impact. Recent BODs have similarly targeted a Check Point VPN zero‑day, an Oracle WebLogic flaw, and a cPanel plugin issue, indicating a broader trend toward rapid federal response.

For federal entities, the directive means immediate inventory checks, rapid deployment of Ivanti’s patch, and verification that no unpatched instances remain internet‑exposed. Agencies that cannot remediate quickly may need to suspend use of the product, a move that could disrupt workflows but mitigates risk. The incident also serves as a warning to the private sector: vulnerabilities in widely deployed security appliances can become high‑impact attack vectors, and proactive patch management is essential to avoid similar compromises. Organizations should adopt continuous monitoring, enforce strict change‑control processes, and stay aligned with CISA’s KEV updates to safeguard their networks.