Thought Leadership
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered civilian federal agencies to urgently remediate a critical vulnerability in Ivanti Sentry within just three days, following evidence that attackers are already actively compromising systems.
The directive is based on the newly introduced Binding Operational Directive 26-04, marking a significant escalation in federal response requirements. The vulnerability, tracked as CVE-2026-10520, affects the widely deployed Ivanti Sentry security gateway, formerly known under the MobileIron Sentry brand.
OS Command Injection Enables Remote System Takeover
The flaw is classified as an OS command injection vulnerability, allowing remote attackers to inject and execute unauthorized operating system commands on affected systems. CISA has rated the issue as critical severity and has immediately added it to its Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed real-world abuse.
Rapid Shift From “No Exploitation” to Active Attacks
Ivanti initially released a security patch on Wednesday and stated in its early advisory that there was no evidence of active exploitation at the time. However, cybersecurity monitoring group Shadowserver later reported that attackers had already begun deploying backdoors on multiple internet-exposed Sentry gateways.
Security researchers observed a surge in attack activity after a working proof-of-concept exploit was publicly released online.
In an urgent warning, Shadowserver stated:
“If you have not patched by now, you are most likely compromised.”
The group also noted that the number of exposed administrative interfaces is likely higher than scan data suggests, as some organizations block security scanners by filtering IP ranges.
First Real-World Test of New CISA Rulebook
CVE-2026-10520 represents the first known case to be enforced under BOD 26-04, CISA’s updated federal cybersecurity framework. The directive replaces earlier response rules and mandates remediation within 72 hours when specific conditions are met.
These include internet-facing exposure, inclusion in the KEV catalog, potential for scalable automated exploitation, and the ability for attackers to gain full system control upon successful compromise.
Over the past years, CISA has flagged 35 Ivanti-related vulnerabilities across various products as actively exploited, including at least 12 incidents linked to ransomware groups, underscoring the persistent targeting of Ivanti systems in real-world attacks.
(ll)
