Severity: HIGH - Active Exploitation Confirmed

CVE-2026-6973 | CVSS Score: 7.2 | Ivanti Endpoint Manager Mobile (EPMM) | Patch Status: Available

The Threat

On May 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog - the agency's authoritative list of vulnerabilities confirmed to be actively weaponized by threat actors in the wild.

The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron, a widely deployed Mobile Device Management (MDM) platform used by enterprises, government agencies, and financial institutions to manage and secure employee smartphones and tablets. The flaw is classified as an Improper Input Validation vulnerability, meaning an attacker can send specially crafted requests to the EPMM server to bypass access controls and gain administrator-level access without valid credentials.

Affected versions are EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0. If your organization has not patched to these versions or later, your MDM infrastructure is exposed right now.

Impact Assessment for East African Organizations

Ivanti EPMM is deployed across government ministries, commercial banks, and telecoms throughout Kenya, Ethiopia, Somalia, and the wider Horn of Africa region. Many of these deployments run on legacy version schedules with infrequent patch cycles - precisely the environment attackers target first.

The consequences of successful exploitation are severe. An attacker who gains admin access to your EPMM server can:

  • Remotely wipe or lock managed devices across your entire organization - a direct operational shutdown risk for agencies managing critical services.
  • Harvest credentials, email configurations, and VPN profiles stored on enrolled devices, opening pathways into your core network.
  • Push malicious profiles or applications silently to all managed endpoints, establishing persistent footholds without user interaction.
  • Access sensitive employee data including contacts, communications, and device location - a serious breach of Kenya's Data Protection Act 2019 and equivalent frameworks across the region.

For financial institutions operating under Central Bank of Kenya (CBK) cybersecurity guidelines or the Bank of Tanzania's ICT security directives, a compromise of MDM infrastructure constitutes a reportable incident. The reputational and regulatory cost of non-disclosure compounds the operational damage.

Government agencies in Ethiopia and Somalia currently undergoing digital transformation programs - including e-government and GovTech rollouts - are at particular risk. These environments typically have large, rapidly growing fleets of managed mobile devices with limited in-house security oversight.

Immediate Actions

  • Patch immediately. Upgrade Ivanti EPMM to version 12.6.1.1, 12.7.0.1, 12.8.0, or later. Do not wait for your next scheduled maintenance window - CISA's KEV listing means exploitation is confirmed active, not theoretical.
  • Audit internet-facing exposure. Check whether your EPMM admin portal is accessible from the public internet. If it is, restrict access to trusted IP ranges or a VPN-only interface immediately.
  • Review EPMM access logs. Look for unusual authentication attempts, API calls from unfamiliar IP addresses, or admin actions not initiated by your team - especially over the past 30 days.
  • Rotate all EPMM admin credentials. Assume that if you were vulnerable, credentials may have been harvested. Force a password reset for all accounts with administrative access to the platform.
  • Notify your incident response team. If you do not have a formal IR process, treat this as the trigger to establish one. Document your patch status and exposure window for regulatory compliance purposes under the Kenya DPA 2019 or applicable national frameworks.

DRONGO Recommendation

Ivanti vulnerabilities have a consistent history of being exploited within hours of public disclosure - not days. If your organization runs EPMM and you are not certain of your patch status or exposure window, DRONGO's security team can conduct an emergency MDM security assessment to identify your current risk posture, review your patch configuration, and verify that no compromise has already occurred.

Is your organization protected? Request a free security assessment.