CISA Issues 72-Hour Patch Mandate for Actively Exploited Ivanti Sentry Flaw

What Happened

CISA issued Binding Operational Directive (BOD) 26-04 on June 12, ordering all federal civilian agencies to patch an actively exploited vulnerability in Ivanti Sentry within three days — a Sunday deadline. The compressed window, far shorter than the standard 15–21 day BOD timeline, signals confirmed, spreading exploitation. The flaw is already being weaponized in real-world attacks.

Why It Matters

Ivanti Sentry (formerly MobileIron Sentry) is an enterprise gateway that sits between mobile devices and backend systems — Exchange, SharePoint, ActiveSync. A compromised Sentry instance hands attackers a pivot point into internal infrastructure, the ability to intercept mobile communications, and potentially credentials flowing through the gateway.

This isn't a surprise target. Throughout 2024 and 2025, Ivanti products — Connect Secure, Policy Secure, Neurons — were hit repeatedly by zero-days exploited before patches shipped. Nation-state actors, ransomware groups, and initial access brokers have all demonstrated sustained interest in Ivanti's attack surface. When CISA shortens a remediation window to 72 hours, it means exploitation is confirmed and likely already broad.

BOD 26-04 formally applies only to Federal Civilian Executive Branch agencies, but CISA's Known Exploited Vulnerabilities catalog is a recommended priority list for everyone. Any flaw serious enough to earn an emergency BOD deserves the same urgency outside the federal perimeter.

What To Do

If you run Ivanti Sentry:

1. Patch now, not Sunday. Active exploitation means working exploits are already in circulation. Check Ivanti's security advisories for the patched build and deploy immediately.

1. Hunt for compromise before patching. Patching an already-owned system doesn't evict an attacker. Review authentication logs, audit admin sessions, and check for unexpected configuration changes. Ivanti typically publishes IoC guidance alongside patches.

1. Verify network segmentation. A Sentry instance should not have unrestricted internal reach. Confirm firewall rules limit lateral movement if the box is compromised.

1. Cross-reference the KEV catalog. The specific CVE will be listed at cisa.gov/known-exploited-vulnerabilities-catalog with the exact remediation requirement — confirm your patch addresses it.

1. If you can't patch by Sunday: Isolate Sentry from external access, implement compensating controls, and document the exception. Federal agencies must formally report non-compliance under BOD 26-04.

If you don't run Ivanti Sentry: Use this as a forcing function to audit your full Ivanti inventory. The product line is broad, active CVEs span multiple products, and the sustained threat actor interest in Ivanti means any unpatched instance carries real risk.

The three-day window isn't bureaucratic scheduling — it's a signal about how bad active exploitation already is. Treat it accordingly.