Your IT Provider’s Mobile Tools Could Have a Security Gap Right Now
Two serious security flaws hit mobile device management and Microsoft cloud services this week. Here’s what to ask your IT provider today.
By The Dragon Digital team ·
Two significant security flaws have surfaced this week, and at least one is already being exploited. Neither directly targets your laptop or phone, but both could affect your business through the tools your IT provider uses to manage your systems.
The mobile device management problem
Many IT providers use a piece of software called Ivanti EPMM to manage company phones and tablets remotely. A vulnerability in that software, tracked as CVE-2026-6973, lets attackers who get into the management server run their own code on it. That’s bad enough on its own, but the bigger concern is scale: if your IT provider manages dozens of clients through one Ivanti platform, a single breach could give an attacker a foothold across every business connected to it, including yours.
This one is already being actively exploited, according to Security Week. Ivanti has issued a patch. Whether your provider has applied it is the question.
The Microsoft cloud side
Separately, Microsoft published a critical flaw in Azure DevOps (the platform used to build and deploy software) with the highest possible severity score. An attacker with no login credentials can use it to pull sensitive information from code repositories and build pipelines. A second flaw in Microsoft Teams, scored at 9.6 out of 10, landed in the same batch of disclosures.
For most small businesses in Rhyl, Ruthin, or Caernarfon, Azure DevOps is not something you’ll run directly. But it is something your IT provider or software suppliers might. High-severity cloud flaws like this tend not to stay theoretical for long.
Three things worth doing today
- Ask your IT provider in writing: Do you use Ivanti EPMM to manage our devices, and have the May 2026 patches been applied? A good provider will answer quickly and clearly. Keep the reply.
- Check your Teams version: In the Teams desktop app, go to Settings, then About Teams. If you’re on an older version and your provider manages your updates, flag it and ask when the latest patch rolls out.
- Check your contract covers patch timescales: Cyber Essentials, the UK government-backed security standard, requires internet-facing systems to be patched within 14 days of a critical fix being released. If your agreement doesn’t mention a maximum patching window, it’s worth raising. The businesses that avoid an incident are usually the ones who ask the awkward questions first, not the ones waiting to be told. If your IT provider can’t give you a straight answer on patch status, that’s worth knowing too.
For more on how layered security works in practice, our piece on whether Defender for Office 365 is enough on its own is worth a read.
Could your business use a hand with its IT?
We provide managed IT support, cyber security and more to businesses across North Wales.
Related guides
- Cybersecurity
Android Microsoft 365 apps needed urgent patching, is yours up to date?
A debug flag left on in six Microsoft 365 Android apps let other apps silently steal login tokens. The patch is out, here’s what to check.
- ComplianceCybersecurity
Windows domain controllers under active attack, is yours patched?
A critical Windows flaw is being actively exploited right now. The patch has been available for three weeks. Here’s what it means for your business and what.
- Cybersecurity
Lookalike domain scams: what your business needs to know
Attackers register near-identical misspellings of trusted company names to steal credentials. Standard email filters miss them. Here’s what actually helps.