Cyber Security Published on June 11, 2026
CISA orders federal agencies to patch Ivanti Sentry CVE-2026-10520 in 3 days
CISA has added CVE-2026-10520, a critical command-injection vulnerability in Ivanti Sentry, to its Known Exploited Vulnerabilities (KEV) catalog. The agency is requiring federal agencies to remediate the flaw within three days under Binding Operational Directive 26-04.
The vulnerability can allow unauthenticated attackers to execute arbitrary commands on affected appliances, making it a high-value target for threat actors seeking network access and persistence.
Shadowserver reported widespread exploitation in the wild after a public proof-of-concept became available. Security teams are urged to apply the vendor patch immediately and monitor affected systems for signs of compromise.
Source: CISA KEV / BleepingComputer