CISA mandates Ivanti Sentry patch for federal agencies by 15 June

A critical vulnerability in Ivanti Sentry, a security gateway appliance used by enterprises to manage mobile devices, has triggered an emergency patching directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw, tracked as CVE-2026-10520, allows remote attackers to execute arbitrary commands on unpatched systems by exploiting an OS command injection weakness in the appliance’s management interface. Ivanti released patches on 10 June 2026, but evidence of active exploitation emerged within days, prompting CISA to enforce a three-day remediation window for federal agencies under Binding Operational Directive (BOD) 26-04.

What triggered the directive

CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities (KEV) catalog on 12 June 2026 after security researchers at Shadowserver reported observing exploitation attempts against internet-exposed Ivanti Sentry instances. The vulnerability carries a CVSS score of 10, indicating maximum severity. However, Ivanti has emphasized that successful exploitation requires access to the appliance’s management port (8443), which should not be exposed to the public internet under recommended security practices. The company told BleepingComputer that CISA’s inclusion of the flaw in the KEV catalog was based on attacks against honeypots—deliberately vulnerable systems used to study attacker behavior—rather than confirmed breaches of production environments.

Despite Ivanti’s reassurances, Shadowserver’s data suggests that many organizations have not followed secure deployment guidelines. The security firm identified over 50 exposed Ivanti Sentry admin portals online, though it acknowledged that its scans may not detect all instances due to network-level blocking. Shadowserver warned that systems remaining unpatched by 12 June were "most likely compromised," given the rapid adoption of publicly available proof-of-concept exploits.

Why the deadline is aggressive

CISA’s directive reflects the agency’s updated approach to vulnerability management under BOD 26-04, which took effect on 11 June 2026. The new directive supersedes older policies and prioritizes patching for vulnerabilities that meet specific criteria: active exploitation, potential for automated large-scale attacks, or the ability to grant attackers control over a system. CVE-2026-10520 meets all three conditions, as attackers have already demonstrated the ability to backdoor vulnerable appliances.

Federal agencies are required to either patch the vulnerability by 15 June 2026, apply mitigations for cloud-based deployments, or discontinue use of the product if remediation is not feasible. The directive applies to all Federal Civilian Executive Branch (FCEB) agencies, though CISA encourages private-sector organizations to adopt the same timeline. This is the first vulnerability addressed under BOD 26-04, but CISA has issued similar three-day deadlines for other actively exploited flaws in recent weeks, including a Check Point VPN zero-day and a cPanel plugin vulnerability.

What organizations should do

Ivanti has urged customers to apply the available patches immediately and review their network configurations to ensure that management ports are not exposed to the internet. The company also recommended restricting access to trusted IP addresses as an additional safeguard. For organizations unable to patch immediately, Ivanti provided temporary mitigation steps, including disabling the affected management interface until updates can be deployed.

Security researchers have noted that Ivanti products have been frequent targets for attackers, including ransomware groups. Over the past three years, CISA has flagged 35 vulnerabilities in Ivanti software that were exploited in real-world attacks, with 12 of those targeted by ransomware operators. The repeated exploitation of Ivanti flaws underscores the importance of proactive vulnerability management, particularly for appliances that serve as gateways to enterprise networks.