CISA Alert: Ivanti EPMM Flaw Actively Exploited

Severity: HIGH - Active Exploitation Confirmed

Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA) | Date: May 7, 2026 | CVE: CVE-2026-6973

The Threat

CISA has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that this flaw in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited in the wild. EPMM, formerly known as MobileIron Core, is a widely deployed Mobile Device Management (MDM) platform used by government agencies, financial institutions, and large enterprises to manage and secure employee mobile devices.

The vulnerability is classified as an Improper Input Validation flaw. This means an attacker can send specially crafted, malicious input to the EPMM server, bypassing normal security checks and potentially gaining unauthorized access to the system. CISA's KEV listing is not a theoretical warning - it means real threat actors are exploiting this flaw against real organizations right now.

Ivanti has had a turbulent vulnerability track record over the past 24 months. Previous Ivanti EPMM flaws (including CVE-2023-35078 and CVE-2023-35081) were weaponized within days of disclosure to target government ministries across Europe and Asia. This pattern is repeating.

Impact Assessment for East African Organizations

Ivanti EPMM is deployed across government ministries, central banks, telecoms, and healthcare networks in Kenya, Ethiopia, Uganda, and the broader Horn of Africa region, often as part of enterprise mobility management rollouts driven by digital government programs.

The specific risks for East African institutions include:

• Government Ministries and GovTech Agencies: MDM platforms manage thousands of official mobile devices carrying sensitive citizen data, policy documents, and internal communications. A compromise here directly threatens national data sovereignty - a core concern under Kenya's Data Protection Act 2019 and Ethiopia's evolving data governance framework.
• Financial Institutions: Banks and saccos regulated by the Central Bank of Kenya (CBK) and Bank of Somalia use MDM solutions to enforce mobile security policies on banker devices. An EPMM compromise could expose mobile banking credentials, customer PII, and transaction data - triggering PCI-DSS breach notification obligations.
• Telecoms and Critical Infrastructure: Operators managing field engineer devices through EPMM could see attackers pivot from a compromised MDM server into operational technology (OT) networks, threatening service continuity.
• Supply Chain Risk: Managed Service Providers (MSPs) using a single EPMM instance to manage multiple client environments risk cascading breaches across their entire customer portfolio.

Immediate Actions - Do These Now

• Audit your MDM inventory today. Confirm whether your organization or any third-party IT provider uses Ivanti EPMM (MobileIron Core). Many deployments exist within outsourced IT contracts and may not be visible to internal security teams.
• Apply the official Ivanti patch immediately. Visit the Ivanti Security Advisory portal and apply all patches addressing CVE-2026-6973 without delay. Do not wait for a scheduled maintenance window - CISA's KEV listing means exploitation is happening now.
• Check for indicators of compromise (IOCs). Review EPMM access logs for anomalous API calls, unexpected administrator account creation, and unusual device enrollment activity. Look for access from unknown IP ranges, particularly non-East African geolocations.
• Isolate the EPMM admin portal from the public internet. If your EPMM management interface is internet-facing, restrict access immediately to trusted IP addresses via firewall rules or a VPN gateway. This is the single fastest risk reduction step available.
• Notify your incident response team and assess breach scope. If your EPMM version has been exposed unpatched for any period, treat the environment as potentially compromised and initiate a formal investigation. Kenya's Data Protection Act 2019 requires breach notification to the Office of the Data Protection Commissioner (ODPC) within 72 hours of discovery.

DRONGO Recommendation

Ivanti vulnerabilities are a repeat offender on CISA's KEV list, yet many East African organizations remain exposed due to delayed patch cycles and limited MDM visibility. DRONGO's SOC team provides 24/7 monitoring with specific detection rules for Ivanti EPMM exploitation patterns. Our rapid vulnerability assessment can determine your exposure within hours - not weeks.

Is your organization protected? Request a free security assessment.