Severity: HIGH - Active Exploitation Confirmed
CVE-2026-6973 | CVSS Score: 7.2 | Vendor: Ivanti | Product: Endpoint Manager Mobile (EPMM)
Source: CISA KEV Catalog - May 7, 2026
The Threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that this flaw is being actively weaponised in the wild. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM) - a widely deployed Mobile Device Management (MDM) platform used by enterprises and government institutions to manage and secure employee smartphones, tablets, and laptops.
The flaw is classified as an Improper Input Validation vulnerability. Successful exploitation allows an unauthenticated remote attacker to send maliciously crafted requests to the EPMM server, potentially gaining admin-level access to the device management platform. Affected versions include EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0.1. If your organisation has not patched to these versions or later, you are exposed right now.
Ivanti products have been a repeated and high-value target for state-sponsored threat actors and financially motivated cybercriminal groups over the past 24 months. This is not a theoretical risk. CISA's KEV listing means exploitation is already happening.
Impact Assessment for East African Organisations
Ivanti EPMM is commonly deployed across the very sectors that form East Africa's digital backbone. Government ministries in Kenya, Ethiopia, and Somalia rely on MDM platforms to manage devices issued to civil servants. Commercial banks and microfinance institutions regulated by the Central Bank of Kenya (CBK), the National Bank of Ethiopia (NBE), and the Central Bank of Somalia (CBS) use similar platforms to enforce mobile security policies on field agent and staff devices.
An attacker who gains administrative control of an EPMM server can push malicious profiles to every managed device across the organisation, intercept credentials, disable security controls, and exfiltrate sensitive data - all without triggering standard endpoint alerts. For a regional bank, this could mean simultaneous compromise of hundreds of mobile banking agent devices. For a government ministry, this represents a full breach of employee device infrastructure.
This vulnerability is also directly relevant to Kenya Data Protection Act 2019 (DPA) and ISO 27001 compliance obligations. A breach arising from a known, unpatched vulnerability will be treated as a failure of due diligence by regulators.
Immediate Actions - Do These Now
- Identify your Ivanti EPMM version immediately. Check whether your deployment is running a version prior to 12.6.1.1, 12.7.0.1, or 12.8.0.1. This is your first and most critical step.
- Apply the vendor patch without delay. Ivanti has released fixes. Prioritise patching the EPMM server before any other scheduled maintenance. CISA's binding directive requires U.S. federal agencies to patch by May 28, 2026 - treat this deadline as your own.
- Audit EPMM administrator access logs. Review all admin-level activity on your EPMM portal for the past 30 days. Look for unrecognised IP addresses, bulk device profile changes, or configuration exports.
- Isolate EPMM servers from the public internet. If your EPMM management console is internet-facing, place it behind a VPN or restrict access to authorised IP ranges immediately, regardless of patch status.
- Notify your security operations team and escalate. If you do not have 24/7 SOC monitoring, manually review EPMM server logs now and place the system under heightened observation until patching is confirmed complete.
DRONGO Recommendation
DRONGO's security team is actively tracking CVE-2026-6973 and can help East African organisations verify patch status, conduct a rapid EPMM configuration audit, and assess whether any indicators of compromise (IoCs) are present in your environment. Our SOC team provides 24/7 monitoring tailored to the regional threat landscape.
Is your organisation protected? Request a free security assessment.