defense · BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04, ordering federal civilian agencies to patch CVE-2026-10520 in Ivanti Sentry security gateway appliances within three days. The vulnerability is an OS command injection flaw in Ivanti's gateway product. One day after Ivanti released patches and stated there was no evidence of exploitation, the Shadowserver Internet security watchdog reported that attackers had already compromised many internet-exposed Sentry gateways. CISA subsequently confirmed active exploitation and added the flaw to its Known Exploited Vulnerabilities Catalog, triggering the emergency patching mandate.
Defense contractors and federal agencies operating Ivanti Sentry appliances should treat this as a critical remediation priority under BOD 26-04 requirements, particularly if their instances are internet-exposed. Organizations subject to CMMC or NIST 800-171 compliance must demonstrate rapid response to actively exploited vulnerabilities in their CUI environments. Any federal or contractor entity still running unpatched Sentry gateways should assume compromise per Shadowserver's assessment. An Omniware engagement can help scope vulnerability management workflows, assess internet exposure, and validate patching compliance across your infrastructure.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/
Source: BleepingComputer
All briefings