Ivanti EPMM Zero-Day Actively Exploited: Alert for East Africa

The Threat

CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM), the widely deployed mobile device management (MDM) platform used by enterprises and government agencies worldwide. On 7 May 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog - meaning real-world attacks are already underway, not just theoretical.

The flaw carries a CVSS score of 7.2 (High) and affects Ivanti EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.x. Successful exploitation grants attackers admin-level remote code execution (RCE) without requiring user interaction. This is not a low-sophistication attack - threat actors are actively hunting unpatched instances right now.

Ivanti products have a documented history of targeting by nation-state actors and ransomware groups. Earlier Ivanti EPMM vulnerabilities (CVE-2023-35078 and CVE-2023-35081) were exploited to breach Norwegian government ministries in 2023. East African government networks must treat this with the same urgency.

Impact Assessment for East African Organizations

Ivanti EPMM is commonly deployed by organizations that need to manage fleets of mobile devices - smartphones, tablets, and laptops issued to staff. In East Africa, this directly affects three high-risk sectors:

• Government Ministries and Agencies (Kenya, Ethiopia, Somalia, Djibouti): Public sector entities that have modernized field operations with managed mobile devices are exposed. A successful exploit gives attackers lateral movement into internal government networks, email systems, and sensitive citizen data repositories - a direct compliance violation under Kenya's Data Protection Act 2019 and equivalent frameworks.
• Financial Institutions: Banks and mobile money operators (including those operating under Central Bank of Kenya and National Bank of Ethiopia guidelines) that manage agent and staff devices via MDM platforms face data exfiltration and regulatory breach risk. PCI-DSS compliance requires immediate response to known exploited vulnerabilities.
• Critical Infrastructure and Telecoms: Power utilities, telecom operators, and logistics companies using EPMM to manage operational technology (OT) and field workforce devices face the highest operational disruption risk. An attacker with admin-level access to an MDM platform can push malicious configurations to every enrolled device simultaneously.

The broader risk for the region is compounded by limited patch cycle discipline in many organizations and the increasing reliance on mobile-first workflows across Horn of Africa markets.

Immediate Actions - Do These Now

• Identify and inventory all Ivanti EPMM deployments across your organization, including instances managed by third-party IT vendors or managed service providers on your behalf.
• Patch immediately to versions 12.6.1.1, 12.7.0.1, or 12.8.0.x or later. Refer to Ivanti's official security advisory for patch download links and upgrade paths. Do not wait for your next scheduled maintenance window.
• Audit administrator accounts and access logs on your EPMM console for any unauthorized logins, configuration changes, or unexpected device enrollment activity dating back at least 30 days.
• Isolate your EPMM server from public internet exposure if patching cannot be completed within 24 hours. Place it behind a VPN or restrict access to known IP ranges as a temporary containment measure.
• Alert your SOC or IT security team to monitor for indicators of compromise (IOCs) associated with CVE-2026-6973, including unusual outbound traffic from MDM servers and unexpected API calls to the EPMM administrative interface.

DRONGO Recommendation

If your organization runs Ivanti EPMM or any MDM platform and lacks 24/7 monitoring capability, your exposure window is open right now. DRONGO's Security Operations Center (SOC) provides always-on threat detection and vulnerability management tailored for East African enterprises and government agencies. We can assess your exposure to CVE-2026-6973 and verify patch status within hours.

Is your organization protected? Request a free security assessment.

Source: CISA KEV Catalog Alert - 7 May 2026 | CVE-2026-6973 | CVSS 7.2 (High)