Severity: HIGH | CVSS Score: 7.2 | Status: Actively Exploited | Source: CISA KEV Catalog, May 7 2026

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM), a widely deployed Mobile Device Management (MDM) platform used by enterprises and government institutions to manage and secure employee smartphones, tablets, and laptops.

The flaw is an improper input validation vulnerability that allows an unauthenticated remote attacker to send specially crafted requests to the EPMM server, potentially gaining admin-level access to the management console. Affected versions are EPMM prior to 12.6.1.1, 12.7.0.1, and 12.8.0. Ivanti has confirmed limited but active exploitation in targeted attacks.

CISA's KEV listing carries significant weight: it means threat actors are not just theorizing about this flaw - they are using it right now, in real attacks, against real organizations.

Impact Assessment for East Africa

Ivanti EPMM is used across enterprise and public sector environments globally, including deployments in Kenya, Ethiopia, and across Horn of Africa institutions that rely on centralized mobile device management. The implications for regional organizations are severe.

  • Government and GovTech agencies in Kenya, Somalia, and Ethiopia that issue managed mobile devices to staff are directly in scope. A compromised EPMM console gives attackers full visibility into - and control over - every enrolled device, including access to email, VPN credentials, and internal application data.
  • Banks and financial institutions regulated under the Central Bank of Kenya (CBK) guidelines or the National Bank of Ethiopia's IT directives that use MDM to manage mobile banking staff devices face a risk of credential theft and lateral movement into core banking systems.
  • Telecommunications providers across the region managing large field-staff mobile fleets could see attackers pivot from compromised devices into internal network segments.
  • Organizations that have not segmented their MDM infrastructure from core IT environments face risk of full network compromise, not just device-level exposure.

Given East Africa's accelerating mobile-first IT posture - driven by remote work adoption and field operations in sectors like power, healthcare, and logistics - MDM platforms represent a high-value, often under-patched attack surface.

Immediate Actions - Do This Now

  • Identify your Ivanti EPMM version immediately. If you are running any version prior to 12.6.1.1, 12.7.0.1, or 12.8.0, you are vulnerable. Contact your IT team or vendor today.
  • Apply Ivanti's official patch without delay. Ivanti has released fixes for all three affected version branches. Do not wait for a scheduled maintenance window - CISA KEV listings require urgent action. U.S. federal agencies are mandated to patch within days; East African institutions should adopt the same urgency.
  • Audit EPMM access logs immediately. Look for unusual API calls, authentication attempts from unfamiliar IPs, or admin-level actions not initiated by your team. Indicators of compromise may already exist in your logs.
  • Restrict EPMM admin console access. If the management interface is internet-facing, place it behind a VPN or restrict access by IP whitelist as an emergency interim control while patching is carried out.
  • Revoke and rotate credentials for all MDM admin accounts. If exploitation has occurred, admin credentials may already be harvested. Treat all existing EPMM admin passwords as compromised until forensic review confirms otherwise.

DRONGO Recommendation

Ivanti EPMM vulnerabilities have historically been weaponized within days of public disclosure. If your organization uses MDM infrastructure and lacks 24/7 monitoring, you are operating blind. DRONGO's SOC team provides continuous threat monitoring, patch compliance verification, and rapid incident response tailored for East African regulatory environments - including CBK, Kenya DPA 2019, and ISO 27001 frameworks.

Is your organization protected? Request a free security assessment.