EU, Dutch government announce hacks following Ivanti zero-days

A wave of cyberattacks tied to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) is triggering emergency warnings worldwide from national security agencies.

The two critical vulnerabilities in EPMM — a product used to manage an organization’s mobile devices, controlling phones and tablets and enforcing app settings and security rules — could allow hackers to take control over these devices without needing either a username or a password.

Ivanti issued patches and an advisory in late January disclosing the two critical code injection vulnerabilities tracked as CVE-2026-1281 and CVE-2026-1340. Customers were urged to treat exposed systems as potentially compromised and review logs for signs of exploitation.

Both of the vulnerabilities were rated critical, with CVSS base scores of 9.8, making them among the most severe types of security flaws. Ivanti said it was aware “a very limited number of customers” had been attacked while the vulnerabilities were still unpatched.

In a statement to the country’s parliament on Friday, the Dutch Data Protection Authority and the Judicial Council confirmed being hacked. It is not clear when these hacks took place.

The country’s State Secretary for the Interior and State Secretary for Justice and Security confirmed that work-related data "such as name, business email address and telephone number" were viewed by unauthorized persons, although the full extent of the compromise is still being investigated.

At the same time, although it did not explicitly identify Ivanti EPMM as the targeted service, the European Commission also confirmed its “central infrastructure managing mobile devices” had detected a cyberattack which resembles the Dutch breach.

The attack on the Commission’s mobile management infrastructure “may have resulted in access to staff names and mobile numbers of some of its staff members,” it announced, adding a “swift response ensured the incident was contained and the system cleaned within nine hours. No compromise of mobile devices was detected.”

The U.S. Cybersecurity and Infrastructure Security Agency has also added one of the flaws to its Known Exploited Vulnerabilities Catalog, signaling confirmed abuse in the wild. National cyber agencies in Canada and Singapore also followed with alerts confirming attackers are weaponising the Ivanti bugs against unpatched environments.

In the United Kingdom, NHS Digital’s National Cyber Security Operations Centre (CSOC) warned that healthcare networks have detected activity linked to the same vulnerabilities, prompting urgent mitigation efforts, although it did not confirm whether a breach had taken place.

“Edge devices like EPMM are internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers,” CSOC said. “The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.”

No public attribution has yet been made for the attacks, and it is unclear whether the vulnerabilities are being exploited by a single threat actor or several of them.

Similar issues in EPMM had previously been exploited in 2023, with the government of Norway revealing that 12 of its agencies had been hacked through the flaws. That case involved different vulnerabilities in the same product family, underscoring how frequently mobile management platforms have become high-value targets.