Ivanti EPMM CVE-2026-6973 RCE: East Africa Alert

SEVERITY: HIGH - Active Exploitation Confirmed

CVE-2026-6973 | CVSS Score: 7.2 | Affected: Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0 | Status: Added to CISA Known Exploited Vulnerabilities (KEV) Catalog

The Threat

Ivanti has issued an urgent warning about a high-severity vulnerability in its Endpoint Manager Mobile (EPMM) platform - the same mobile device management (MDM) solution used by enterprises and government agencies across East Africa to manage smartphones, tablets, and field devices. The flaw, tracked as CVE-2026-6973, is an improper input validation vulnerability that enables unauthenticated remote code execution (RCE), handing attackers full administrative control of affected EPMM servers.

Critically, this is not a theoretical risk. Active, in-the-wild exploitation has already been confirmed in limited attacks, and CISA has formally added this CVE to its Known Exploited Vulnerabilities catalog - a strong signal that broader, opportunistic attacks are imminent. Organizations that have not patched within hours, not days, are exposed.

This vulnerability follows a disturbing pattern for Ivanti: CVE-2023-35078 and CVE-2023-35082, both affecting EPMM, were weaponized against Norwegian government agencies in 2023. The same product. The same attack surface. A new CVE.

Impact Assessment for East African Organizations

Ivanti EPMM is widely deployed in sectors across Kenya, Ethiopia, and the Horn of Africa where mobile-first operations are standard. If your organization manages employee devices, field agents, or remote workers through an MDM platform, this affects you directly.

Banking and Financial Services: Banks operating mobile banking platforms - particularly those in Kenya under CBK Mobile Banking Guidelines and institutions across Somalia and Ethiopia managing agent banking networks - use MDM solutions to control thousands of field devices. Admin-level RCE on the EPMM server means an attacker can push malicious apps, intercept credentials, and exfiltrate customer data across every enrolled device. This is a single-point-of-failure breach scenario.

Government and GovTech: Ministries and county governments in Kenya managing field officers and e-government service delivery on enrolled devices face a severe risk. Under the Kenya Data Protection Act 2019, a breach originating from an unpatched, known vulnerability creates direct regulatory liability for the Data Controller. Exploiting this flaw on a government MDM server could expose citizen data at scale.

Telecommunications and Critical Infrastructure: Telcos and power utilities across Ethiopia and Kenya deploying EPMM to manage field technician devices are exposed to operational disruption. Attackers with admin-level access can wipe, lock, or manipulate enrolled devices - disabling field response capabilities during a critical infrastructure incident.

Immediate Actions - Do These Now

• Identify your EPMM version immediately. Log into your Ivanti EPMM admin console and confirm your current version. If you are running any version before 12.6.1.1, 12.7.0.1, or 12.8.0, you are vulnerable and must treat this as an active incident.
• Apply the vendor patch without delay. Upgrade to EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0 as directed in Ivanti's official security advisory. Do not wait for a scheduled maintenance window - this vulnerability is under active exploitation.
• Restrict network access to your EPMM portal. If patching cannot be completed immediately, block public internet access to the EPMM admin portal and limit access to trusted IP ranges only. This reduces your exposure window while patching is arranged.
• Audit EPMM admin logs for signs of compromise. Review administrative access logs for unusual authentication attempts, unfamiliar admin accounts, or unexpected device policy changes. Indicators of compromise may already be present on unpatched systems.
• Notify your incident response team now. If you do not have a defined IR process, escalate to your CISO or IT security lead immediately. Given CISA's KEV listing, threat actors are actively scanning for exposed EPMM instances - including in developing regions where patch cycles are slower.

DRONGO Recommendation

DRONGO's security team has seen Ivanti vulnerabilities exploited against organizations in this region before. If you are unsure whether your EPMM deployment is patched, exposed, or already compromised, our team can conduct an emergency vulnerability assessment and log review within 24 hours - giving you verified clarity before an attacker gets there first.

Is your organization protected? Request a free security assessment.