Severity: HIGH | CVE-2026-6973 | CVSS Score: 7.2 | Actively Exploited

The Threat

On May 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog - confirming that this flaw is being actively used in real-world attacks right now. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM), a widely deployed Mobile Device Management (MDM) platform used by enterprises and government agencies to manage smartphones, tablets, and laptops across their networks.

The flaw is an Improper Input Validation vulnerability that allows a remote attacker to gain admin-level access to the EPMM management console without authentication. Affected versions are all EPMM releases before 12.6.1.1, 12.7.0.1, and 12.8.0. If your organization has not patched to these versions, your mobile device fleet and the corporate data it touches are exposed.

CISA's KEV listing is not a theoretical warning. It means threat actors have already developed working exploits and are deploying them in the wild against unpatched systems.

Impact Assessment for East African Organizations

Ivanti EPMM is commonly deployed by government ministries, financial institutions, and telecommunications providers across Kenya, Ethiopia, and the Horn of Africa to centrally manage employee devices and enforce security policies. A successful exploit of this vulnerability gives an attacker full administrative control over every device enrolled in the MDM platform - effectively handing them the keys to your entire mobile workforce.

For Kenyan banks and SACCOs operating under CBK cybersecurity guidelines, a compromised MDM platform means attackers can push malicious configurations, intercept corporate email, access mobile banking credentials, and disable device encryption across hundreds or thousands of endpoints simultaneously. This directly violates CBK's Prudential Guidelines on Information Security and could trigger regulatory penalties.

For government agencies in Kenya, Ethiopia, Somalia, and Djibouti using EPMM to manage official devices, the risk is worse: sensitive communications, classified documents, and citizen data held on managed devices become accessible to the attacker. MDM platforms are high-value targets precisely because compromising one gives access to many.

East African organizations are particularly at risk because patch cycles in the region tend to lag behind global averages, legacy EPMM deployments are common, and dedicated mobile security monitoring is often absent from local SOC environments.

Immediate Actions - Do These Now

  • Identify your Ivanti EPMM version immediately. Log into your EPMM admin console and confirm the running version. If it is below 12.6.1.1, 12.7.0.1, or 12.8.0 depending on your release track, you are vulnerable.
  • Apply Ivanti's patch without delay. Upgrade to a patched version as a P1 emergency. Do not wait for a scheduled maintenance window - CISA's KEV listing means exploitation is already occurring. Consult Ivanti's official advisory for patch download instructions.
  • Restrict EPMM admin console access immediately. If patching cannot happen within 24 hours, place the EPMM management portal behind a VPN or allowlist-only firewall rule to reduce your attack surface while you prepare the patch.
  • Audit EPMM admin accounts for unauthorized access. Review all administrator accounts and active sessions in the EPMM console. Look for unrecognized accounts, unusual login times, or configuration changes made in the past 30 days that were not authorized.
  • Alert your SOC and escalate to incident response if exploitation is suspected. Look for anomalous device enrollment activity, unexpected policy changes, or lateral movement from any device managed under your EPMM instance. If you detect indicators of compromise, isolate the server and initiate your incident response plan.

DRONGO Recommendation

DRONGO's SOC team monitors KEV catalog updates in real time and maps them against our clients' asset inventories. If your organization uses Ivanti EPMM and lacks a clear view of your patch status or mobile security posture, our team can conduct an emergency vulnerability assessment and guide remediation within 24 hours - before attackers get there first.

Is your organization protected? Request a free security assessment.