# [HIGH] CISA orders feds to patch actively exploited Ivanti flaw by Sunday **Source:** BleepingComputer **Published:** 2026-06-12 **Article:** https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/ ## Threat Profile CISA orders feds to patch actively exploited Ivanti flaw by Sunday By Sergiu Gatlan June 12, 2026 04:26 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04. Tracked as CVE-2026-10520 , this maximum-severity vulnerability was found in Ivanti's security gateway appliance (formerly known as MobileIron Sentry) … ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-10520` - **CVE:** `CVE-2026-10523` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1486** — Data Encrypted for Impact - **T1003.001** — LSASS Memory - **T1003** — OS Credential Dumping - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1071.001** — Application Layer Protocol: Web Protocols - **T1133** — External Remote Services - **T1595.002** — Active Scanning: Vulnerability Scanning ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Ivanti Sentry CVE-2026-10520 handleMessage exploit attempt (commandexec XML) `UC_34_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(Web.http_method) as methods, values(Web.status) as statuses, values(Web.http_user_agent) as user_agents, min(_time) as firstSeen, max(_time) as lastSeen from datamodel=Web.Web where (Web.url="*/mics/api/v2/sentry/mics-config/handleMessage*" OR Web.uri_path="*/mics/api/v2/sentry/mics-config/handleMessage*") by Web.src Web.dest Web.dest_port Web.url | `drop_dm_object_name(Web)` | where match(methods, "(?i)POST") | eval cve="CVE-2026-10520", product="Ivanti Sentry" | convert ctime(firstSeen) ctime(lastSeen) | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "/mics/api/v2/sentry/mics-config/handleMessage" or AdditionalFields has "/mics/api/v2/sentry/mics-config/handleMessage" | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId | order by Timestamp desc ``` ### Shell or recon binary spawned by Tomcat/Java on Ivanti Sentry (CVE-2026-10520 post-exploitation) `UC_34_5` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(Processes.process) as cmdlines, min(_time) as firstSeen, max(_time) as lastSeen from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("java","catalina.sh","tomcat","jsvc") OR Processes.parent_process_path="*/tomcat*" OR Processes.parent_process_path="*/mobileiron/*" OR Processes.parent_process_path="*/ivanti/*") AND Processes.process_name IN ("sh","bash","dash","zsh","ksh","nc","ncat","curl","wget","python","python3","perl","ruby","id","whoami","uname") by host Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | eval cve="CVE-2026-10520" | convert ctime(firstSeen) ctime(lastSeen) | sort - count ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java","catalina.sh","tomcat","jsvc") or InitiatingProcessFolderPath has_any (@"/opt/mobileiron/", @"/opt/ivanti/", @"/var/lib/tomcat", @"/usr/share/tomcat", @"/mi/") | where FileName in~ ("sh","bash","dash","zsh","ksh","nc","ncat","curl","wget","python","python3","perl","ruby","id","whoami","uname","hostname") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256, Cve = "CVE-2026-10520" | order by Timestamp desc ``` ### Ivanti Sentry instances vulnerable to CVE-2026-10520 / CVE-2026-10523 `UC_34_6` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(Vulnerabilities.signature) as signatures, values(Vulnerabilities.vendor_product) as products, max(_time) as lastSeen from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve IN ("CVE-2026-10520","CVE-2026-10523") by Vulnerabilities.dest Vulnerabilities.cve Vulnerabilities.severity | `drop_dm_object_name(Vulnerabilities)` | eval bod_deadline="BOD 26-04: patch within 3 days of KEV addition", required_version="R10.5.2 / R10.6.2 / R10.7.1" | convert ctime(lastSeen) | sort - severity dest ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where Timestamp > ago(2d) | where CveId in ("CVE-2026-10520","CVE-2026-10523") or (SoftwareVendor =~ "ivanti" and SoftwareName has_any ("sentry","mobileiron sentry")) | summarize arg_max(Timestamp, *) by DeviceId, CveId | join kind=leftouter ( DeviceInfo | where Timestamp > ago(2d) | summarize arg_max(Timestamp, IsInternetFacing, PublicIP, OSPlatform) by DeviceId ) on DeviceId | project Timestamp, DeviceName, DeviceId, OSPlatform, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, IsInternetFacing, PublicIP, RequiredVersion = "R10.5.2 / R10.6.2 / R10.7.1" | order by IsInternetFacing desc, VulnerabilitySeverityLevel desc ``` ### External / non-internal HTTP access to Ivanti Sentry /mics admin portal `UC_34_7` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, dc(Web.url) as distinct_urls, values(Web.url) as urls, values(Web.http_method) as methods, values(Web.status) as statuses, min(_time) as firstSeen, max(_time) as lastSeen from datamodel=Web.Web where (Web.url="*/mics/*" OR Web.url="*/mifs/*" OR Web.url="*/deviceadmin*") by Web.src Web.dest Web.dest_port | `drop_dm_object_name(Web)` | search NOT (src="10.0.0.0/8" OR src="172.16.0.0/12" OR src="192.168.0.0/16" OR src="100.64.0.0/10") | iplocation src | eval cve="CVE-2026-10520" | convert ctime(firstSeen) ctime(lastSeen) | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ("/mics/","/mifs/","/deviceadmin") | where RemoteIPType == "Public" | summarize Hits=count(), URLs=make_set(RemoteUrl, 25), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName | order by Hits desc ``` ### Ransomware-style mass file rename / extension change `UC_RANSOM_ENCRYPT` · phase: **actions** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, dc(Filesystem.file_name) AS files from datamodel=Endpoint.Filesystem where Filesystem.action IN ("modified","renamed") by Filesystem.dest, Filesystem.user, _time span=1m | `drop_dm_object_name(Filesystem)` | where files > 200 | sort - files ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(1d) | where InitiatingProcessAccountName !endswith "$" | where ActionType in ("FileRenamed","FileModified") | summarize files = dcount(FileName) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1m) | where files > 200 // empirical: > 200 unique-file renames in 1m by one account on one host // is well above the P99 of legitimate bulk-tooling | order by files desc ``` ### LSASS process access / dump (credential theft) `UC_LSASS` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*lsass*" OR Processes.process="*sekurlsa*" OR Processes.process="*MiniDump*" OR Processes.process="*comsvcs.dll*MiniDump*" OR Processes.process="*procdump*lsass*") OR (Processes.process_name="rundll32.exe" AND Processes.process="*comsvcs*MiniDump*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where ActionType == "OpenProcessApiCall" | where FileName =~ "lsass.exe" | where InitiatingProcessFileName !in~ ("MsSense.exe","MsMpEng.exe","csrss.exe", "svchost.exe","wininit.exe","services.exe", "lsm.exe","SearchProtocolHost.exe") | project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, AccountName | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-10520`, `CVE-2026-10523` ## Why this matters Severity classified as **HIGH** based on: CVE present, 8 use case(s) fired, 10 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.