CISA adds Ivanti Sentry flaw to KEV catalog
The listing turns an Ivanti patch decision into a federal priority item, with the exact remediation date left to the catalog.
TL;DR
CISA added CVE-2026-10520, an Ivanti Sentry OS command injection vulnerability, to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies must prioritize remediation under Binding Operational Directive 26-04 for covered publicly exposed assets. Contractors and C3PAOs supporting federal environments should verify patch status and whether pre-patch compromise checks are required.
CISA’s June 11 KEV update is routine, but operationally narrow: CVE-2026-10520 is now a federal priority vulnerability because CISA says it has evidence of active exploitation. Binding Operational Directive 26-04 applies to Federal Civilian Executive Branch agencies and updates the older BOD 22-01 model by prioritizing rapid remediation for high-risk KEV-listed vulnerabilities on publicly exposed assets that grant total control after exploitation. For contractors, C3PAOs, and federal support teams, the Monday task is straightforward: identify Ivanti Sentry exposure, confirm remediation against CISA and vendor guidance, and determine whether BOD 26-04’s compromise-check expectations apply before calling the asset clean.
Published ·Deep Fathom