Severity: CRITICAL | Source: CISA Advisory ICSA-26-113-06 | CVE: CVE-2026-6074

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control System (ICS) advisory - ICSA-26-113-06 - disclosing a critical vulnerability in the Intrado 911 Emergency Gateway (EGW), a platform widely deployed in public safety answering points (PSAPs), emergency dispatch centers, and national telecommunications backbones.

Tracked as CVE-2026-6074, the vulnerability affects all actively supported versions of the platform: Emergency Gateway 5.x, 6.x, and 7.x. Successful exploitation allows an attacker to read, modify, or delete critical system files without authorization, giving threat actors direct access to the operational data that drives emergency response workflows.

For context: the Intrado EGW sits at the core of emergency call routing infrastructure. It processes, authenticates, and routes calls to dispatch centers. A compromised gateway does not just leak data - it can silence or redirect emergency calls entirely.

Impact Assessment for East African Organizations

While this advisory originates from a U.S. federal agency, its relevance to East Africa is direct and urgent. Kenya, Ethiopia, Djibouti, Somalia, and Uganda have all accelerated investment in national emergency communication systems and e-government public safety platforms over the past five years. Many of these deployments rely on vendor-supplied gateway infrastructure with software versions that may not be actively tracked or patched by local IT teams.

The specific risks for the region include:

  • Government emergency services: National police, fire, and medical dispatch centers in Nairobi, Addis Ababa, and Mogadishu that rely on IP-based call routing are directly in scope. File modification attacks could corrupt routing tables, sending emergency calls to dead ends or wrong dispatch queues.
  • Telecoms infrastructure: Carriers such as Safaricom, Ethio Telecom, and Hormuud Telecom operate gateway-level infrastructure that underpins short-code emergency services (e.g., 999, 911, 991). A file deletion attack on a gateway appliance could cause a full outage of emergency short-code services.
  • Regulatory exposure: Kenya's Communications Authority and Ethiopia's Ethiopian Communications Authority (ECA) both mandate service continuity for emergency communications. A breach or service outage resulting from an unpatched vulnerability constitutes a regulatory compliance failure with potential licensing consequences.
  • Data exposure: Call detail records (CDRs) and caller location data stored or transiting through an EGW are classified as sensitive personal data under Kenya's Data Protection Act 2019. Unauthorized file reads mean this data is now at risk of exfiltration.

The file-modification capability is particularly dangerous: an attacker does not need to crash a system to cause harm. Silently altering routing configurations or authentication files can redirect, intercept, or drop emergency traffic for hours before detection.

Immediate Actions

  • Audit your EGW deployments now. Confirm whether your organization or any managed service provider in your supply chain runs Intrado Emergency Gateway versions 5.x, 6.x, or 7.x. Do not assume a vendor has patched on your behalf.
  • Isolate the EGW from public-facing network segments. If patching cannot be completed immediately, enforce strict network segmentation. Emergency gateways should never be reachable from general corporate or internet-facing subnets.
  • Review file integrity baselines. Use a File Integrity Monitoring (FIM) tool to establish a clean baseline of all critical EGW system files. Any deviation from this baseline is a potential indicator of compromise (IoC) and must be investigated immediately.
  • Check vendor patch status and apply updates. Contact Intrado (now operating under the Carbyne or West Technology Group umbrella depending on your contract) for the latest patched firmware or software version. Cross-reference with CISA ICSA-26-113-06 for remediation guidance.
  • Review access logs for anomalous file operations. Look back at least 30 days for any unauthorized read, write, or delete operations on gateway configuration files, routing tables, or authentication stores. Treat any unexplained access as a live incident.

DRONGO Recommendation

Emergency communication infrastructure is classified as critical national infrastructure in every East African jurisdiction. DRONGO's ICS and OT security team can perform a rapid vulnerability assessment of your emergency gateway environment, validate patch status, and implement compensating controls within 48 hours - before an attacker finds the gap first.

Is your organization protected? Request a free security assessment.