CISA orders feds to patch actively exploited Ivanti flaw by Sunday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to patch an actively exploited Ivanti Sentry vulnerability within three days under Binding Operational Directive (BOD) 26-04. The issue, CVE-2026-10520, affects Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and involves an OS command injection weakness that enables attackers to execute code. CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities (KEV) catalog after reports of widespread in-the-wild exploitation attempts, with security researchers warning that potentially unpatched systems are likely already compromised.