SURIQ
A patched edge appliance is not automatically a clean one. That is the real lesson of CVE-2026-10520, the maximum-severity flaw in Ivanti Sentry that went from public proof-of-concept to mass scanning in a matter of hours. The Shadowserver Foundation reported that attackers had already backdoored internet-facing Sentry gateways around the same window the fixes shipped. So the patch closes the door, but if your gateway was reachable before you applied it, someone may already be inside. Patch, then hunt. Doing only the first half leaves a resident implant on one of the most trusted boxes in your perimeter.
What CVE-2026-10520 actually is
CVE-2026-10520 is an OS command injection vulnerability in Ivanti Sentry, the secure mobile gateway appliance formerly sold as MobileIron Sentry. It is rated 10.0, the top of the CVSS scale, because it needs no authentication and yields remote code execution as root. An attacker who can reach the appliance over the network runs commands with the highest privilege the box has, with nothing to bypass first.
The fixed builds are R10.5.2, R10.6.2, and R10.7.1. Anything earlier is vulnerable. SecurityWeek reported exploitation attempts hitting honeypots, and Security Affairs documented gateways compromised shortly after the patch release. Shadowserver tags vulnerable hosts as cve-2026-10520 in its daily Vulnerable HTTP report, which is the fastest free way to learn your own exposure.
Why patching is necessary but not sufficient
Here is the detail that should reshape your runbook: the patch and the attack overlapped in time. Shadowserver did not just see scanning. It saw gateways that were already backdoored. When a public exploit lands for an unauthenticated root bug on an internet-facing box, the gap between disclosure and your patch is a gap an automated scanner fills for you. A backdoor planted in that window survives the update, because patching the binary does not remove a web shell, a cron job, or a new account the attacker dropped first.
This is the same shape as two stories we covered this week. In the PeopleSoft PSEMHUB zero-day, the patch-management service itself became the breach. In Velvet Ant's decade in the auth stack, a trusted login path hid the persistence. Sentry is the same category of target: a middlebox the rest of the network is built to trust. Compromise it and you inherit that trust, which is why the correct response is patch and compromise assessment in parallel, not patch and close the ticket.
What CISA's BOD 26-04 actually changes
CISA confirmed active exploitation on June 11 and added the flaw to its Known Exploited Vulnerabilities catalog. It then invoked Binding Operational Directive 26-04, a new directive that supersedes BOD 19-02 and BOD 22-01. The change practitioners need to absorb: for internet-exposed assets added to the KEV catalog where exploitation can be automated, federal agencies now have three days to patch. The deadline for this one was Sunday, June 14.
The old BOD 22-01 cadence often gave roughly two weeks. That timeline assumed human-paced exploitation. A public PoC against an unauthenticated edge appliance is not human-paced; it is a script that finds and pops every reachable host overnight. BOD 26-04 is CISA catching policy up to attacker tempo, and the Ivanti flaw is its first live test. If you are not a federal agency, do not read the three-day clock as someone else's rule. Read it as the realistic service level for this class of bug.
What to do in the first hour
If you operate Ivanti Sentry, the order of operations matters more than the speed.
-
Patch to
R10.5.2,R10.6.2, orR10.7.1. This stops new exploitation. It does not undo old exploitation. -
Take the admin portal off the public internet. Shadowserver counted only a few dozen exposed Sentry admin portals, so most of the fleet should never have been reachable in the first place. Exposure is the precondition for the whole attack.
-
Assume any pre-patch exposed gateway is compromised and hunt accordingly. Look for new or unexpected root processes, unfamiliar binaries and web shells on the appliance, configuration changes you did not make, new local accounts, and outbound connections from the gateway to destinations it has no reason to reach.
-
Pivot the hunt inward. Sentry brokers access between mobile devices and internal systems. If it was held, treat authentication and sessions that flowed through it during the exposure window as suspect, not trusted.
One more operational note. Ivanti's own advisory was slow to confirm in-the-wild exploitation even as Shadowserver tracked mass scanning, and the vendor initially reported no evidence of attacks. Do not gate your incident response on a vendor confirming what your telemetry already implies. A maximum-severity unauthenticated RCE on an edge box with public exploit code is exploited by default until you prove your instance was not reachable.
The pattern worth keeping
Edge appliances keep teaching the same lesson and security teams keep paying tuition. The gateway, the patch service, the auth stack: each is a trusted intermediary whose compromise hands an attacker a position the network model assumes is safe. The fix is not a single patch. It is treating these boxes as the high-value targets they are, keeping their management planes off the public internet, and building a reflex to hunt the moment a critical disclosure lands rather than waiting for a deadline to force the question.