ALERT: Ivanti EPMM CVE-2026-6973 Actively Exploited

Severity: HIGH | CVSS Score: 7.2 | Actively Exploited in the Wild

Source: CISA Known Exploited Vulnerabilities (KEV) Catalog | Published: May 7, 2026

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that this flaw is being actively weaponized by malicious actors in the wild. The vulnerability affects Ivanti Endpoint Manager Mobile (EPMM) - a widely deployed Mobile Device Management (MDM) platform used by enterprises, government agencies, and financial institutions to manage and secure employee smartphones, tablets, and laptops.

The flaw is an improper input validation vulnerability affecting EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0. Successful exploitation grants attackers admin-level remote code execution (RCE) on the EPMM server - meaning a threat actor can take full control of the platform that manages every mobile device in your organization. This is not theoretical. CISA only adds vulnerabilities to the KEV Catalog when there is confirmed, evidence-based exploitation happening now.

Ivanti has a documented history of high-severity vulnerabilities being targeted by nation-state and ransomware groups. Previous Ivanti flaws were exploited against government networks across Asia, Europe, and Africa within days of disclosure.

Impact Assessment for East African Organizations

Ivanti EPMM is used across the East African enterprise and public sector landscape - particularly by organizations that enforce mobile device policies for remote or field-based workforces. If your organization uses Ivanti EPMM to manage employee devices, you are directly exposed.

Sectors at highest risk in East Africa:

• Banking and Financial Services (Kenya, Ethiopia, Uganda): Banks using EPMM to manage relationship manager and field agent devices could face a full breach of their MDM infrastructure. An attacker with admin access can push malicious profiles, intercept device communications, or wipe devices - disrupting operations and violating CBK Prudential Guidelines and Bank of Uganda cybersecurity directives on endpoint security.
• Government and GovTech (Kenya, Somalia, Ethiopia): Public sector agencies managing civil servant devices through EPMM are at risk of complete device fleet compromise. For agencies handling citizen data, this triggers mandatory breach notification under the Kenya Data Protection Act 2019 and equivalent frameworks.
• Telecoms (Safaricom, Airtel Africa, Ethio Telecom and regional operators): MDM platforms in telecom environments control field technician devices and internal operational tools. Admin-level RCE on these systems is a direct path into core network operations.
• Critical Infrastructure (Power, Water, Ports): OT-adjacent environments using EPMM for operational staff device management face significant risk. A compromised MDM server is a pivot point into broader operational technology networks.

With the Horn of Africa remaining a high-value target for both financially motivated ransomware groups and state-sponsored espionage actors, unpatched Ivanti EPMM instances are a low-effort, high-reward entry point.

Immediate Actions - Do These Now

• Audit your Ivanti EPMM deployment immediately. Identify whether you are running versions prior to 12.6.1.1, 12.7.0.1, or 12.8.0. If yes, you are vulnerable and should treat this as an active incident until patched.
• Apply Ivanti's official patches without delay. Upgrade to EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0 as appropriate. Do not wait for your next scheduled maintenance window - this vulnerability is being actively exploited today.
• Review EPMM access logs for indicators of compromise (IoCs). Look for anomalous admin logins, unexpected configuration changes, unusual API calls, or new device enrollments you cannot account for. Treat any unexplained activity as a suspected breach.
• Restrict network access to your EPMM server. If patching cannot happen immediately, isolate the EPMM management console from public internet exposure and limit access to known, whitelisted IP ranges. This reduces your attack surface while you prepare the patch.
• Notify your incident response team and legal/compliance officers. If you identify signs of exploitation, your obligations under the Kenya DPA 2019 and sector-specific regulations (CBK, Communications Authority) require timely breach assessment and potential notification. Do not delay this step.

DRONGO Recommendation

DRONGO's threat intelligence and SOC teams are actively monitoring CVE-2026-6973 exploitation patterns across East African networks. If you are unsure whether your Ivanti EPMM deployment is exposed, or if you suspect compromise, our incident response team can conduct an emergency assessment of your MDM environment, review access logs for IoCs, and guide your patch remediation - within 24 hours.

Is your organization protected? Request a free security assessment.