CISA Alert: Ivanti EPMM Flaw Actively Exploited

Severity: HIGH | Actively Exploited | Patch Immediately

Source: CISA Known Exploited Vulnerabilities (KEV) Catalog | Published: May 7, 2026 | CVE: CVE-2026-6973 | CVSS Score: 7.2

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that this flaw is being actively used in real-world attacks. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM), a widely deployed Mobile Device Management (MDM) platform used by enterprises and government agencies to manage smartphones, tablets, and other mobile endpoints.

The flaw is classified as an Improper Input Validation vulnerability. It allows remote attackers to send maliciously crafted input to the EPMM server, potentially triggering remote code execution (RCE) and gaining administrator-level access to the platform. Affected versions include all EPMM releases before 12.6.1.1, 12.7.0.1, and 12.8.0. CISA's KEV listing confirms that nation-state actors and cybercriminal groups are already exploiting this vulnerability in targeted campaigns.

Why East African Organizations Must Act Now

Ivanti EPMM is deployed across banking groups, telecommunications providers, and government IT environments throughout Kenya, Ethiopia, Uganda, Tanzania, and Somalia. MDM platforms are considered high-value targets because they sit at the intersection of every managed mobile device in an organization - compromising the EPMM server gives an attacker the ability to push malicious configurations, extract device credentials, intercept communications, and pivot laterally into core enterprise networks.

For East African institutions, the stakes are especially high. Commercial banks managing large field agent networks on mobile devices, government ministries coordinating mobile workforces, and telcos running MDM-enrolled engineer fleets all represent rich targets. Under the Kenya Data Protection Act 2019 and the Central Bank of Kenya (CBK) Cybersecurity Guidelines, a breach originating from an unpatched, known-exploited vulnerability constitutes a reportable incident - and exposes institutions to regulatory penalties, reputational damage, and customer liability.

Impact Assessment by Sector

• Financial Services (Kenya, Ethiopia, Uganda): An EPMM compromise can expose mobile banking agent credentials, customer PII, and transaction data - triggering CBK, NBE, and BoU reporting obligations and potential PCI-DSS violations.
• Government and GovTech (Somalia, Kenya, Ethiopia): National ID management systems, revenue authority platforms, and border control agencies using mobile device fleets are at risk of espionage and data exfiltration by state-sponsored actors.
• Telecommunications (Safaricom, Ethio Telecom, Hormuud): Telco network operations engineers rely heavily on MDM-managed devices. A compromise here can provide an attacker a foothold into core network infrastructure.
• Healthcare and Humanitarian Operations (Horn of Africa): NGOs and health agencies operating mobile health (mHealth) programs in Somalia and Ethiopia managing sensitive patient data on enrolled devices face significant data breach risk.

Immediate Actions - Do These Now

• Audit your Ivanti EPMM version immediately. If you are running any version prior to 12.6.1.1, 12.7.0.1, or 12.8.0, you are vulnerable. Contact your IT team or Ivanti account representative right now.
• Apply the vendor patch without delay. Ivanti has released fixes for all three supported release tracks. CISA's KEV listing means this is a "patch-or-accept-breach" situation - there is no safe waiting period.
• Isolate your EPMM server from public internet access as an interim measure if patching cannot be completed within 24 hours. Restrict access to known management IPs only.
• Review EPMM administrator logs for anomalies going back at least 30 days. Look for unexpected admin account creation, unusual API calls, or configuration changes not initiated by your team. This flaw may already have been used against your environment.
• Notify your CISO, Risk, and Compliance teams. Under CBK Cybersecurity Guidelines and Kenya DPA 2019, if you detect indicators of compromise, you have mandatory breach notification timelines to meet. Start the clock now, not after a confirmed breach.

DRONGO Recommendation

DRONGO's SOC team is actively monitoring threat feeds for CVE-2026-6973 indicators of compromise (IOCs) across client environments in Kenya, Somalia, and Ethiopia. If your organization uses Ivanti EPMM and lacks 24/7 visibility into your MDM infrastructure, a rapid vulnerability assessment is the fastest way to confirm your exposure and close the gap before attackers do.

Is your organization protected? Request a free security assessment.