The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) confirmed their systems were impacted by cyber attacks that exploited critical security flaws within Ivanti Endpoint Manager Mobile (EPMM). This revelation, shared via a notice to the Dutch parliament on Friday, highlights a growing trend of targeted attacks leveraging vulnerabilities in widely used enterprise software.
“On January 29, the National Cyber Security Center (NCSC) was informed by the supplier of vulnerabilities in EPMM,” the Dutch authorities stated. “EPMM is used to manage mobile devices, apps, and content, including their security.” This incident underscores the significant risks associated with mobile device management solutions when their security is compromised.
Ivanti EPMM Vulnerabilities Fuel Widespread Cyber Attacks
The breaches affecting the Dutch agencies are now known to have resulted in unauthorized access to work-related data of AP employees, including names, business email addresses, and telephone numbers. Investigations are ongoing to determine the full extent of the compromise.
Meanwhile, the European Commission also disclosed that its central mobile device management infrastructure detected “traces” of a cyber attack. While the incident was contained within nine hours and no mobile devices were found to be impacted, the attack may have led to access to the names and mobile numbers of some staff members. The Commission emphasized its commitment to the security of its internal systems and will implement all necessary protective measures.
While the specific vendor, Ivanti, was named, details regarding the attackers’ methods remain limited. However, the timing and nature of the incidents strongly suggest exploitation of the recently disclosed vulnerabilities in Ivanti EPMM, particularly zero-day flaws that were not yet patched.
Adding to the escalating situation, Finland’s state information and communications technology provider, Valtori, reported a breach that exposed work-related details of up to 50,000 government employees. This incident, identified on January 30, 2026, also targeted a zero-day vulnerability within a mobile device management service.
Valtori had applied the corrective patch on January 29, 2026, coinciding with Ivanti’s release of fixes for CVE-2026-1281 and CVE-2026-1340. These critical vulnerabilities, carrying CVSS scores of 9.8, allow attackers unauthenticated remote code execution. Ivanti has confirmed that these specific flaws were indeed exploited as zero-days.
Details of Compromised Data and System Implications
In the case of the Finnish breach, attackers are believed to have accessed operational data. This included employee names, work email addresses, phone numbers, and device details. Investigations at Valtori revealed that the management system did not permanently delete data but only marked it as deleted.
This revelation suggests that device and user data belonging to all organizations that utilized the compromised service throughout its operational history could be at risk. In some instances, a single mobile device might have been associated with multiple users, potentially broadening the scope of the data exposure.
The ongoing investigations aim to precisely identify all affected parties and the specific data compromised. Organizations reliant on Ivanti EPMM are strongly advised to ensure all systems are updated with the latest security patches and to conduct thorough security audits to detect any signs of prior intrusion. Future actions will likely focus on strengthening defenses against zero-day exploits and improving data sanitization practices within critical IT infrastructure.

