CISA Alert: Ivanti EPMM Flaw Actively Exploited

Severity: HIGH - Active Exploitation Confirmed

CVE-2026-6973 | CVSS Score: 7.2 | Affected Product: Ivanti Endpoint Manager Mobile (EPMM)

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog - its most authoritative signal that a flaw is being weaponized in real-world attacks right now. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM), a widely deployed mobile device management (MDM) platform used by enterprises and government agencies to manage fleets of smartphones, tablets, and laptops.

The root cause is an improper input validation flaw in EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0. Successful exploitation allows a remote, authenticated attacker to achieve admin-level remote code execution (RCE) on the EPMM server - effectively handing an attacker the keys to every managed device on the network. CISA's KEV listing means active threat actors are already using this in the wild, not just testing it in labs.

This is not a theoretical risk. Ivanti EPMM has been targeted repeatedly in prior years, including a 2023 campaign that compromised Norwegian government ministries. The pattern is repeating.

Impact Assessment for East African Organizations

Ivanti EPMM is deployed across government agencies, financial institutions, and large telecoms in Kenya, Ethiopia, and across the Horn of Africa - any organization managing a centrally controlled fleet of mobile devices is potentially exposed. For East African organizations, the consequences of a successful exploit go beyond data theft.

Banking and financial services: A compromised EPMM server gives attackers control over devices used by relationship managers, tellers, and back-office staff. This opens pathways to intercept mobile banking credentials, bypass multi-factor authentication, and initiate fraudulent transactions - a direct threat to institutions regulated under CBK (Central Bank of Kenya) cybersecurity guidelines and the Bank of Tanzania's ICT risk frameworks.

Government and GovTech: Ministries and public agencies using Ivanti to manage employee devices risk full compromise of internal communications, classified documents, and citizen data. Under Kenya's Data Protection Act 2019 and Ethiopia's Personal Data Protection Proclamation, a breach of this nature carries mandatory disclosure obligations and significant regulatory penalties.

Telecoms and critical infrastructure: Mobile device management platforms in telecom environments often control devices with access to network operations centers (NOCs). Admin-level RCE in this context could enable service disruption or deeper network intrusion.

Immediate Actions - Do These Now

• Patch immediately: Upgrade Ivanti EPMM to versions 12.6.1.1, 12.7.0.1, or 12.8.0 or later. CISA's KEV listing means U.S. federal agencies have a mandatory patch deadline - East African organizations should treat this with the same urgency.
• Audit your EPMM exposure: Confirm whether your EPMM admin console is exposed to the internet. If it is, restrict access to known IP ranges immediately via firewall rules or a VPN gateway while patching proceeds.
• Hunt for indicators of compromise (IOCs): Review EPMM server logs for unusual authentication attempts, unexpected admin account creation, or outbound connections to unknown IP addresses. Treat any anomaly as a breach until proven otherwise.
• Review managed device policies: Check for any unauthorized MDM profiles, new device enrollments, or configuration changes pushed from the EPMM console in the last 30 days.
• Notify your incident response team: If you cannot patch within 24 hours, escalate to your security team and consider isolating the EPMM server from production networks until the patch is applied.

DRONGO Recommendation

DRONGO's threat intelligence and SOC teams are actively monitoring CVE-2026-6973 exploit activity across East African networks. If your organization runs Ivanti EPMM and lacks in-house capacity to assess exposure, verify patch status, or conduct log analysis, contact our team for an immediate vulnerability assessment. We operate 24/7 across Kenya, Somalia, and Ethiopia.

Is your organization protected? Request a free security assessment.