Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
A maximum-severity vulnerability in Ivanti Sentry is being actively exploited in the wild within 24 hours of disclosure, prompting CISA to add it to the Known Exploited Vulnerabilities catalog.
A maximum-severity vulnerability in Ivanti Sentry (CVE-2026-XXXX) is being actively exploited in the wild within 24 hours of disclosure, according to a report from Dark Reading. The rapid exploitation suggests attackers had pre-mapped Ivanti's asset landscape and quickly weaponized the public exploit once details emerged. Ivanti has released a patch, and CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the update immediately.
The vulnerability, which carries a CVSS score of 10.0, affects Ivanti Sentry, a gateway appliance used for secure remote access and mobile device management. While the exact technical mechanism has not been fully disclosed, the severity rating indicates remote code execution without authentication, making it a prime target for threat actors. The speed of exploitation—within a day of public disclosure—highlights the growing trend of attackers rapidly reverse-engineering patches to develop exploits.
Ivanti has been a frequent target in 2026, with multiple zero-day vulnerabilities disclosed across its product line, including Ivanti Connect Secure and Ivanti Policy Secure. The company has faced criticism for slow patch cycles and incomplete fixes, though in this case, a patch was released concurrently with the disclosure. CISA's KEV inclusion mandates that federal civilian agencies apply the fix by a specified deadline, typically within three weeks.
Organizations using Ivanti Sentry are urged to verify they are running the latest patched version and to check for signs of compromise. Indicators of compromise (IoCs) have not yet been publicly shared, but network defenders should monitor for unusual outbound connections or unauthorized administrative access. The Cybersecurity and Infrastructure Security Agency (CISA) has not yet released a specific advisory beyond the KEV entry.
The incident underscores a broader challenge in vulnerability management: the window between patch release and exploitation is shrinking. Attackers are increasingly using automated tools to scan for vulnerable instances as soon as patches are published, often before organizations can apply them. This has led to calls for faster patch deployment and the use of virtual patching or web application firewalls as interim mitigations.
This is the latest in a series of high-profile Ivanti vulnerabilities exploited in 2026, following a pattern of rapid weaponization. Security experts recommend that organizations maintain an accurate inventory of Ivanti Sentry deployments and prioritize patching based on exposure to the internet. The incident also highlights the importance of threat intelligence feeds that track exploit activity in real time.