CISA orders feds to patch actively exploited Ivanti flaw by Sunday

CISA orders feds to patch actively exploited Ivanti flaw by Sunday

CISA ordered U.S. federal agencies to patch the actively exploited Ivanti Sentry flaw CVE-2026-10520 within three days after it was added to the KEV Catalog under BOD 26-04. Shadowserver reported widespread exploitation attempts and likely compromise of unpatched Internet-exposed Ivanti Sentry gateways. #CVE-2026-10520 #IvantiSentry #CISA #Shadowserver #BOD26-04

Keypoints

  • CVE-2026-10520 is a maximum-severity OS command injection flaw in Ivanti Sentry.
  • CISA confirmed the vulnerability is being actively exploited in attacks.
  • Federal Civilian Executive Branch agencies must patch Ivanti Sentry within three days.
  • Shadowserver warned that unpatched exposed instances are likely already compromised.
  • CISA has flagged many Ivanti flaws in the past, including several abused by ransomware gangs.

Read More: https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/