Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because Ivanti has confirmed active exploitation of CVE-2026-6973, CISA has added it to the KEV catalog with a binding remediation deadline, and at least two co-bundled CVEs require no authentication — meaning exploitation requires minimal attacker capability against any internet-exposed or network-reachable EPMM instance. Impact is very_high because EPMM is the trust anchor for corporate mobile access: credential stores, device certificates, and network access policies held in a compromised EPMM instance give adversaries authenticated lateral movement paths that bypass perimeter and endpoint controls entirely.
Treatment rationale: The combination of confirmed active exploitation, a KEV listing with a federal deadline, and the systemic access EPMM holds over the mobile estate makes deferral, transfer, or acceptance indefensible — immediate patching to 12.6.1.1, 12.7.0.1, or 12.8.0.1 (as applicable) with interim network isolation of the EPMM management plane is the only treatment that reduces exposure before adversaries exploit the window.
Third-Party / Supply-Chain Risk
Ivanti is a third-party managed-mobility vendor whose on-premises EPMM platform holds privileged credentials, device trust certificates, and network access configurations on behalf of the deploying organization. Per NIST SP 800-161 supplier risk framing, the organization's mobile-access trust chain is dependent on Ivanti's software integrity: a compromised EPMM instance does not merely affect Ivanti — it grants adversaries inherited trust across the organization's own MDM-enrolled device fleet, email gateway integrations, and VPN/NAC configurations. Organizations using Ivanti-hosted or co-managed EPMM variants should additionally verify their shared-responsibility boundary and whether Ivanti has applied patches to managed environments.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M for a mid-to-large enterprise, driven by lateral movement enabling credential theft across the mobile estate, potential data exfiltration, incident response and forensics, and MDM re-enrollment of the full device fleet
Frequency: For an organization with internet-reachable EPMM currently unpatched against an actively exploited KEV-listed RCE, illustrative threat-event frequency is high in the near term (days to weeks given confirmed active exploitation); drops sharply to low following successful patch application and management-plane isolation
Annualized: Insufficient basis for a defensible single-year ALE figure; the exposure is front-loaded and binary — organizations that patch within the remediation window face negligible residual frequency; those that do not face near-certain exploitation within the active campaign window
Basis: Loss magnitude derived from: (1) EPMM's role as a credential and certificate store multiplies downstream compromise scope beyond the EPMM host itself; (2) MDM re-enrollment of a large device fleet is operationally disruptive and labor-intensive; (3) lateral movement from stolen device certificates can require full network segmentation review; (4) IR and forensics costs for a privileged-access platform compromise are typically at the higher end of the enterprise IR cost range. Frequency derived from KEV active-exploitation status and unauthenticated attack surface in co-bundled CVEs.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If corporate credentials or personally identifiable information stored in EPMM are confirmed exfiltrated, this may invoke state and federal breach-notification obligations — verify with counsel.
• Active exploitation of a KEV-listed vulnerability on unpatched systems may affect cyber-insurance claim eligibility under patch-compliance representations in policy applications — verify with broker.
• Organizations subject to HIPAA, CMMC, or FedRAMP may face mandatory incident-reporting obligations if EPMM is part of a covered or controlled environment — verify with counsel.
• Contractual SLAs with customers or partners that include security-posture representations may be implicated if EPMM compromise results in downstream exposure of shared data — verify with counsel.
