CyberSip™ — Issue 63 — June 14, 2026

Today’s picture

Ivanti Sentry CVE-2026-10520, a maximum-severity unauthenticated OS command injection, is confirmed exploited in the wild. Shadowserver reported at least two backdoored instances with exploitation attempts visible across 19 vulnerable internet-exposed gateways. CISA added it to KEV on June 11 under the new BOD 26-04 three-day mandate, making today the federal deadline. Ivanti has clarified that exploitation requires access to management port 8443, which should not be internet-exposed. Tenet Security published research on June 12 disclosing Agentjacking, an attack technique that uses a publicly available Sentry DSN to inject malicious instructions into Sentry error events, which AI coding agents including Claude Code, Cursor, and Codex then retrieve via MCP and execute as legitimate diagnostic steps on the developer machine. Tenet tested 2,388 organisations and achieved an 85% success rate with no authentication required. Iran-linked threat group Handala breached California Water Service on June 11 via an exposed third-party GPS management tool, accessing billing data for approximately two million customers and leaking 5GB.

Threat snapshot

3 active items · 2 monitoring

Ivanti Sentry CVSS 10.0 / exploited / backdoored instances / CISA deadline today Agentjacking / AI coding agents / 85% success / 2,388 orgs Cal Water / Handala / 2M customer billing records 3 items this issue

June 11Ivanti SentryCVSS 10.0ExploitedCISA Today

Ivanti Sentry CVE-2026-10520 confirmed exploited with backdoored instances in the wild. CISA deadline is today. Exploitation requires management port 8443 to be internet-exposed. Patch to R10.5.2, R10.6.2, or R10.7.1.

Shadowserver reported a large volume of exploitation attempts after a public PoC became available, with at least 2 of 19 vulnerable internet-exposed instances confirmed backdoored. Ivanti told BleepingComputer that exploitation requires port 8443 access, which management interfaces should never provide to the internet. The CISA deadline is today under BOD 26-04, the first major test of the new three-day patch mandate.

June 12Agentjacking

Agentjacking: a single HTTP POST to a public Sentry DSN injects attacker commands into AI coding agents. Claude Code, Cursor, and Codex execute them without user review. 85% success rate across 2,388 organisations.

No authentication required. The Sentry DSN is a public credential by design. The agent retrieves the injected event via MCP, treats it as a legitimate bug report, and runs attacker-controlled commands on the developer machine. Sentry declined to fix the root cause and deployed a filter for one specific payload string. The fix must come at the agent runtime layer.

June 11HandalaCritical Infrastructure

Iran-linked Handala breaches California Water Service via an exposed GPS fleet management tool. Billing data for approximately 2 million customers accessed. 5GB leaked.

Handala stated it could have done significantly more damage but chose to demonstrate access rather than disrupt service. The entry point was a third-party GPS tool used for fleet management, not the core operational technology or billing system directly. CISA and sector partners are monitoring the situation.

Detailed intelligence

Full analysis

01 Ivanti Sentry CVSS 10.0 Backdoored Instances

Ivanti Sentry CVE-2026-10520 exploitation confirmed with backdoored instances. The CISA federal deadline is today. Exploitation requires management port 8443 to be internet-accessible.

CVE-2026-10520 · CVSS 10.0

Shadowserver reported large-scale exploitation attempts following public PoC publication, confirming at least two backdoored instances among 19 vulnerable internet-exposed Ivanti Sentry gateways. CISA added the flaw to KEV on June 11 under BOD 26-04 with a three-day deadline, making today the remediation target for federal civilian agencies.

Executive Impact

Patch Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately. If management port 8443 is exposed to the internet on any Sentry appliance, treat that instance as potentially compromised regardless of patch status, audit access logs, review administrator accounts for unexpected additions, and check for unexpected outbound connections. Sentry sits between mobile devices and the corporate network, meaning a compromised gateway can intercept mobile authentication traffic and credentials.

Don’t Miss

Ivanti told BleepingComputer that CISA added CVE-2026-10520 to KEV based on attempted exploitation of honeypots, and emphasised that successful exploitation requires access to management port 8443, which should never be internet-exposed. This is an important context note. Not every Ivanti Sentry deployment is vulnerable to remote exploitation. The risk is specific to instances where port 8443 is reachable from the internet. Organisations with properly segmented management interfaces, where port 8443 is only accessible from internal management networks, are not directly exposed to remote exploitation. That said, CISA has now confirmed CVSS 10.0 is warranted, Shadowserver has confirmed backdoored instances, and the patch is available. The configuration note does not change the patching calculus. It does change the incident response priority if you are trying to determine whether to treat your instance as potentially compromised.

CyberSip Take

CISA now has 35 Ivanti vulnerabilities listed as actively exploited since 2020, 12 of which were used in ransomware campaigns. CVE-2026-10520 is the third time Ivanti Sentry specifically has appeared in that catalog. Patch today. Verify port 8443 is not internet-exposed on any Sentry instance. If you cannot confirm that, assume exploitation risk and review logs accordingly.

What happened

CISA added CVE-2026-10520, a maximum-severity OS command injection in Ivanti Sentry, to its Known Exploited Vulnerabilities catalog on June 11, 2026, under the new Binding Operational Directive 26-04. BOD 26-04, issued June 10, replaces flat CVSS-based deadlines with a four-variable risk model and set a three-day remediation window for this vulnerability, making today, June 14, the deadline for federal civilian agencies.

CVE-2026-10520 is an OS command injection in the Ivanti Sentry MICS configuration API accessible via management port 8443. An unauthenticated attacker who can reach port 8443 can inject operating system commands that execute with root privileges. A second critical vulnerability, CVE-2026-10523, was patched in the same release. Patches are available in Sentry R10.5.2, R10.6.2, and R10.7.1.

Shadowserver Foundation reported exploitation attempts at scale following the publication of a public proof-of-concept by watchTowr Labs, with at least two of the 19 internet-exposed vulnerable instances it identified confirmed to have been backdoored. Ivanti told BleepingComputer that CISA based its KEV listing on honeypot exploitation reports, and clarified that exploitation requires port 8443 access, which management interfaces should not provide to the internet. Ivanti stated it is not aware of confirmed customer compromise beyond honeypot activity.

Recommended actions

Patch Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately. Today is the CISA BOD 26-04 deadline.
Verify that management port 8443 on all Sentry appliances is restricted to internal management networks and not reachable from the internet. If it is internet-accessible, treat the appliance as potentially compromised and conduct a full review regardless of patch status.
Review Sentry access logs for unexpected API calls to the MICS configuration endpoint, new administrator account creation, and unexpected outbound connections since the public PoC publication date.

Derived from BleepingComputer, Security Affairs, and CISA KEV listing for CVE-2026-10520, June 11–14, 2026.

02 Agentjacking

Agentjacking: a publicly available Sentry DSN is all an attacker needs to execute arbitrary commands on a developer machine through Claude Code, Cursor, or Codex. No authentication. No malware delivery. 85% success rate.

Agentjacking · Tenet Security · June 12

Tenet Security published its research on June 12. The attack injects malicious instructions into Sentry error events using a public write-only DSN credential. AI coding agents retrieve the events via the Sentry MCP integration, interpret them as legitimate diagnostic output, and execute attacker-controlled commands with the developer’s own system privileges.

Executive Impact

Any organisation with a publicly discoverable Sentry DSN and developers using AI coding agents wired to Sentry via MCP is in scope. Tenet identified 2,388 organisations with injectable DSNs. The commands execute on the developer machine with developer privileges, giving the attacker access to environment variables, Git credentials, SSH keys, cloud provider tokens, and private repository contents. Review whether AI coding agents in your development environment are connected to Sentry via MCP, and whether that integration can be scoped or disabled.

Don’t Miss

Sentry described the attack class as “technically not defensible” at the platform level and deployed a content filter targeting one specific payload string from the published proof of concept rather than addressing the root cause. That filter blocks the exact string Tenet used in their research. It does not block a slightly modified version. The underlying issue, that Sentry accepts arbitrary payloads from anyone with a DSN and that AI agents treat this content as trusted diagnostic output, remains fully intact. Tenet’s conclusion is that the only reliable mitigation sits at the agent runtime layer, meaning the agent itself must be configured to require human confirmation before executing any remediation step suggested by an external tool integration. This is a design problem in how AI coding agents handle trust for externally sourced content, not a Sentry-specific bug that can be patched away.

CyberSip Take

The Miasma worm in Issue 55 injected persistence into Claude Code via a supply chain attack. Agentjacking manipulates Claude Code into executing attacker commands via a poisoned bug report. Both attacks treat the AI coding agent as the attack surface rather than the developer. As these tools become standard parts of the development environment, they inherit the threat model of that environment. An agent wired into your monitoring tools, issue trackers, and error platforms is also a new way into the developer machine. Audit which external integrations your agents can read from and whether any of those channels accept untrusted input.

What happened

Tenet Security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran published the Agentjacking research on June 12, 2026. The attack exploits two design decisions that appear safe in isolation: Sentry DSNs are intentionally public write-only credentials embedded in frontend JavaScript so that browsers can report errors without requiring server-side authentication, and AI coding agents treat Sentry error events retrieved via MCP as trusted diagnostic information about the developer’s own codebase.

An attacker with a target organisation’s Sentry DSN, discoverable from browser JavaScript or a GitHub search, sends a crafted HTTP POST to Sentry’s event ingest API embedding attacker-controlled instructions in the error event fields. When the developer uses their AI coding agent and Sentry MCP to investigate errors, the agent retrieves the injected event alongside legitimate ones, treats the malicious instructions as a genuine diagnostic suggestion, and executes the specified shell commands on the developer machine with the developer’s own privileges. The chain requires no prior access to the developer machine, no authentication beyond the public DSN, and no delivery of malware through standard channels. Tenet achieved an 85% success rate across Claude Code, Cursor, and Codex in controlled tests and identified 2,388 organisations with injectable DSNs.

Tenet disclosed the findings to Sentry on June 3, 2026. Sentry acknowledged the issue, described the attack class as technically not defensible at the platform level, and deployed a content filter for a specific payload string rather than addressing the root cause. The filter does not prevent modified variants of the attack.

Recommended actions

Review whether AI coding agents in your development environment are connected to Sentry via MCP. If they are, and if your Sentry DSN is publicly discoverable, assess the risk and consider disabling the Sentry MCP integration until agent-level trust controls are available.
Configure AI coding agents to require explicit human confirmation before executing any remediation or code modification step suggested by an external tool integration, rather than allowing autonomous execution.
Treat AI coding agent integrations with external platforms that accept untrusted input as a supply chain trust boundary. This applies not only to Sentry but to any MCP-connected tool that surfaces content from external or anonymous sources.

Derived from The Hacker News, Tenet Security blog, and CSA Research Note on Agentjacking, June 12–13, 2026.

03 Handala Critical Infrastructure

Iran-linked Handala breaches California Water Service via an exposed third-party GPS tool. Billing data for approximately 2 million customers accessed. 5GB leaked. Handala states it could have done more.

Cal Water · Handala · June 11

Handala posted the breach claim on June 11. The group gained access via a GPS fleet management tool used for vehicle tracking, which was accessible without adequate controls. The group stated it reached billing data for approximately two million current and former customers and released 5GB of data publicly.

Executive Impact

The breach affected customer billing data rather than operational technology controlling water treatment or distribution. Handala’s stated intent was to demonstrate access rather than cause service disruption. Cal Water is conducting a forensic investigation. Affected customers should be alert to phishing attempts using their billing information and monitor financial accounts for unusual activity. Water utilities and critical infrastructure operators should audit third-party tool access to internal networks and apply the same access controls to fleet management and logistics tools as to production systems.

Don’t Miss

Handala’s public statement included the phrase “it could have done significantly worse.” The group has a documented pattern of intrusions into Israeli and US infrastructure targets accompanied by public messaging intended to communicate capability. The Cal Water breach follows intrusions Handala has claimed against Israeli water infrastructure in prior years. The entry point in this case was a GPS fleet management tool, a third-party platform with no obvious connection to core water operations, which had a connection path into systems holding customer billing data. Third-party tools in operational environments frequently hold implicit trust relationships that are not reflected in the organisation’s formal access control model. A GPS tool for tracking service vehicles should not have a path to customer billing records.

CyberSip Take

A GPS vehicle tracking tool accessing customer billing records is a network segmentation and vendor access control failure, not a sophisticated intrusion. The breach of core operational technology at a water utility would be a far more serious event. This one is a data breach with a geopolitical communication attached. The practical response for water utilities and other critical infrastructure is to map what third-party tools connect to which internal systems and whether those access relationships are justified by the tool’s function.

What happened

Iran-linked threat group Handala posted a claim on June 11, 2026 asserting it had breached California Water Service, a publicly traded water utility serving approximately two million customers across California. The group stated it gained initial access through an exposed GPS fleet management tool used by Cal Water to track service vehicles, and from that access reached systems containing customer billing data. Handala released 5GB of data publicly and claimed access to billing information for approximately two million current and former customers.

Handala is a threat group with documented ties to Iran and a history of targeting Israeli and US infrastructure entities. Its operations typically combine data theft with public statements intended to demonstrate capability to disrupt critical services. In this case, the group stated explicitly that it could have caused significantly greater damage but chose to limit its activity to demonstrating access.

Cal Water confirmed it is investigating the incident. CISA and water sector partners are monitoring the situation. The breach affected the billing and customer data environment rather than the operational technology systems controlling water treatment or distribution infrastructure. California Water Service serves communities across California and is one of the largest investor-owned water utilities in the United States.

Recommended actions

Water utilities and critical infrastructure operators should audit all third-party tool connections to internal networks, specifically confirming that fleet management, logistics, and facilities tools do not have lateral access paths to operational or customer data systems.
Cal Water customers should be alert to phishing communications using billing account details and monitor financial accounts for unusual activity following the data release.
Review vendor access agreements and network architecture for any third-party tool that connects to both operational and administrative networks, as the Cal Water GPS tool represents a common class of implicit trust relationship that is rarely formally documented.

Derived from Security Affairs reporting on Handala and California Water Service breach, June 11–13, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

RoguePlanet Defender zero-day (Issue 59). No CVE, no patch. Works on fully patched Windows 11. Application allowlisting prevents execution. Nightmare Eclipse has rolled back the promised June 14 mass-disclosure. Monitor MSRC for patch. Day 5

GreatXML BitLocker bypass (Issue 61). No CVE, no patch. Requires physical access and prior Defender Offline Scan. Monitor MSRC for patch. Review recovery partition access controls on managed laptops. Day 4

Cross-source standouts

AI coding agents are now a documented attack surface, not a theoretical one

The Miasma worm in Issue 55 injected persistence into Claude Code installations as part of a supply chain attack on npm packages. Agentjacking today uses a fake Sentry bug report to make Claude Code execute attacker commands directly. Two separate confirmed techniques, both using AI coding agents as the execution layer rather than the developer. The attacks differ in method but share a structural observation: AI coding agents that autonomously act on output from external tool integrations, without requiring human review of each proposed action, create a class of attack where compromising or poisoning those external sources is equivalent to compromising the developer machine. As agent adoption accelerates, the security model for every tool an agent reads from becomes part of the attack surface of every machine it runs on.

CISA’s BOD 26-04 three-day mandate is being tested on a weekend with a CVSS 10.0 flaw

BOD 26-04 was issued on June 10, replacing fixed 30-day and 14-day CVSS-based windows with a risk-variable model that can compress the mandatory patching window to three days for the most critical flaws. CVE-2026-10520 became the first real test of that directive, with a deadline falling on Sunday June 14. That timing is operationally significant: a three-day window that starts on a Thursday and ends on a Sunday is a weekend patch deployment for federal agencies. The directive is testing not just whether agencies can patch faster but whether security operations and change management processes can function outside standard business hours when required. Private sector organisations watching CISA’s new directive should take note of the implied expectation that critical patching is no longer a Monday-to-Friday function.