Severity: CRITICAL | Actively Exploited in the Wild

Source: CISA Known Exploited Vulnerabilities (KEV) Catalog | Published: May 7, 2026 | Affected Product: Ivanti Endpoint Manager Mobile (EPMM)

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that malicious actors are actively exploiting this flaw in the wild right now. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron, and is classified as an Improper Input Validation vulnerability.

Ivanti EPMM is widely deployed by enterprises and government institutions to manage and secure employee mobile devices, enforce security policies, and control access to corporate networks. A flaw in this system is not a minor inconvenience - it is a front door left open to attackers targeting your entire mobile fleet and the corporate infrastructure behind it.

CISA's inclusion in the KEV Catalog is significant. It means exploitation is not theoretical - it is happening now, at scale, against real organizations. Ivanti products have a documented history of being targeted by nation-state actors and ransomware groups, making this alert one that demands immediate action.

Impact Assessment for East African Organizations

Across Kenya, Ethiopia, Somalia, Djibouti, Uganda, and Tanzania, Ivanti EPMM and its predecessor MobileIron are deployed inside commercial banks, government ministries, telecoms, and healthcare institutions that rely on mobile device management (MDM) to secure the growing BYOD (Bring Your Own Device) and remote workforce environments.

For Kenyan financial institutions operating under Central Bank of Kenya (CBK) cybersecurity guidelines, a compromised MDM platform could expose mobile banking back-end systems, customer PII, and inter-bank transaction data - triggering both financial loss and regulatory penalties under the Kenya Data Protection Act 2019.

For government agencies in Somalia and Ethiopia managing national ID, revenue, or immigration systems via mobile platforms, an attacker gaining control of an EPMM server could silently push malicious configurations to hundreds of managed devices, creating persistent access across an entire ministry's mobile infrastructure. In regions where mobile devices are the primary endpoint, the blast radius of this vulnerability is exceptionally wide.

Critical infrastructure operators in the energy and power sector across East Africa, where field teams increasingly rely on MDM-managed devices for SCADA and operational technology oversight, face a particularly serious risk of operational disruption.

Immediate Actions - Do These Now

  • Audit your Ivanti EPMM deployment immediately. Identify all instances of Ivanti EPMM (including legacy MobileIron deployments) running in your environment. Check version numbers against Ivanti's official security advisory and confirm whether you are on a vulnerable release.
  • Apply the vendor patch without delay. Ivanti has released a fix for CVE-2026-6973. Patching must be treated as an emergency change, not a scheduled maintenance item. CISA's KEV listing means this cannot wait until the next patch cycle.
  • Review EPMM access and authentication logs. Look for anomalous API calls, unexpected admin account activity, or unusual device enrollment patterns going back at least 30 days. Attackers may already be inside if exploitation predates your awareness.
  • Isolate the EPMM server if patching is not immediately possible. Restrict network access to the EPMM management interface to known, trusted IP ranges only. Disable internet-facing access to the admin portal until the patch is applied.
  • Brief your incident response team and escalate to leadership. Under the CBK Cybersecurity Framework and equivalent regulations in Ethiopia and Uganda, a confirmed breach of an MDM system constitutes a notifiable security incident. Know your reporting obligations before the breach, not after.

DRONGO Recommendation

Ivanti vulnerabilities have repeatedly been weaponized against organizations that lacked visibility into their own attack surface. DRONGO's vulnerability assessment and managed SOC services give East African organizations real-time detection of exploitation attempts against MDM platforms, web-facing systems, and critical infrastructure - before attackers reach your data.

Is your organization protected? Request a free security assessment.