CISA ordered U.S. federal agencies to patch the actively exploited Ivanti Sentry flaw CVE-2026-10520 within three days after it was added to the KEV Catalog under BOD 26-04. Shadowserver reported widespread exploitation attempts and likely compromise of unpatched Internet-exposed Ivanti Sentry gateways. #CVE-2026-10520 #IvantiSentry #CISA #Shadowserver #BOD26-04
Keypoints
- CVE-2026-10520 is a maximum-severity OS command injection flaw in Ivanti Sentry.
- CISA confirmed the vulnerability is being actively exploited in attacks.
- Federal Civilian Executive Branch agencies must patch Ivanti Sentry within three days.
- Shadowserver warned that unpatched exposed instances are likely already compromised.
- CISA has flagged many Ivanti flaws in the past, including several abused by ransomware gangs.