CISA Orders Federal Agencies to Patch Actively Exploited Ivanti Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring federal agencies to patch an actively exploited vulnerability in Ivanti Sentry within three days. The order, mandated under the newly issued Binding Operational Directive (BOD) 26-04, targets a flaw that attackers are already leveraging in the wild.

CISA’s directive applies to all federal civilian executive branch agencies, which must apply the patch by the specified deadline or face potential compliance action. While no CVSS score or CVE identifier was detailed in available sources, the active exploitation status elevates the risk profile significantly. The vulnerability affects Ivanti Sentry, a mobile device management and secure access solution widely used in government networks.

Technical specifics of the attack vector remain undisclosed, but active exploitation suggests the flaw can be remotely triggered without authentication. Ivanti has not yet confirmed the root cause, and indicators of compromise have not been publicly released. Security researchers urged organizations to prioritize patching given CISA’s rare three-day window, indicating a high level of threat urgency.

Ivanti has released a patch addressing the vulnerability, though availability details for non-government customers were not provided. CISA recommends all organizations—not just federal agencies—apply the patch immediately. No workarounds or mitigations were listed if patching is not possible within the timeframe.

The directive does not attribute the attacks to any specific threat actor. This marks the second time in 2025 that CISA has issued a fast-track patch order under BOD 26-04, signaling an accelerating trend of mandatory remediation timelines for exploited vulnerabilities.