CISA Lists Ivanti Sentry CVE-2026-10520 in KEV Catalog on Honeypot Data Alone

The technical evidence consists solely of honeypot telemetry showing remote unauthenticated requests targeting the management API. No telemetry from production appliances has been released by Ivanti or independent researchers. Ivanti’s advisory stresses that managed deployments use mTLS or network restrictions that close the vector, while unmanaged instances are explicitly unsupported in production. Procurement records show Sentry remains deployed in several federal MDM environments despite repeated prior command-injection issues in the same product line.

CISA’s KEV entry and Ivanti’s update diverge on risk framing: CISA requires federal agencies to patch within three days under BOD 26-04, while Ivanti states the observed activity does not constitute confirmed exploitation. This pattern mirrors the 2023 Connect Secure and 2024 EPMM disclosures where initial vendor statements minimized external reachability until contract-mandated disclosures forced clarification. The discrepancy leaves operators without clear guidance on whether legacy unmanaged instances still exist behind perimeter firewalls.

Operational significance lies in the continued exposure of enterprise mobility management surfaces. Similar command-injection flaws in MDM appliances have repeatedly enabled initial access for ransomware operators before attribution claims appear. Next indicators to watch are firewall logs showing port 8443 traffic from non-management networks and any new contract modifications requiring mTLS enforcement.

Independent verification remains absent; no public packet captures or malware samples tied to the CVE have surfaced beyond honeypot artifacts.