Cyberattack Targets European Commission’s Mobile Platform
▼ Summary
– The European Commission’s mobile device management platform was hacked on January 30, 2026, but the incident was contained within 9 hours with no compromise of mobile devices detected.
– The intrusion may have resulted in unauthorized access to staff names and mobile numbers, and it is widely speculated the affected platform was Ivanti Endpoint Manager Mobile (EPMM).
– The Dutch National Cyber Security Centre warned of active exploitation of a specific Ivanti EPMM vulnerability (CVE-2026-1281) and advised all users to assume their systems were compromised.
– Affected organizations, including Dutch institutions, are taking measures such as changing passwords and monitoring for lateral movement, following the breach.
– This incident follows previous exploitation of Ivanti EPMM zero-days in 2025, which were linked to a suspected China-nexus threat actor targeting multiple sectors globally.
A significant cyberattack targeted the mobile device management platform used by the European Commission, though officials confirm the breach was quickly contained. The incident, detected on January 30, 2026, by the EU’s cybersecurity team CERT-EU, was resolved within nine hours. According to an official statement, the intrusion may have led to unauthorized access to staff names and mobile phone numbers, but no compromise of the mobile devices themselves was detected.
While the Commission did not publicly name the specific platform, evidence strongly points to Ivanti Endpoint Manager Mobile (EPMM). This suspicion arises because Dutch authorities recently disclosed breaches at two of their institutions linked to the same software. The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) both suffered incidents where work-related employee data, including names, business email addresses, and telephone numbers, was accessed by unauthorized parties.
The Dutch National Cyber Security Centre (NCSC-NL) had been warning organizations about the active exploitation of a critical Ivanti EPMM vulnerability, identified as CVE-2026-1281. This code injection flaw was being used in widespread attacks. Ivanti, the vendor, acknowledged these vulnerabilities were exploited as zero-days and initially provided a temporary patch before releasing full security updates last week. The company has also made a detection script available to help customers check for signs of compromise.
Authorities are advising a cautious approach. The NCSC-NL recommends that all Ivanti EPMM users should assume their systems were compromised, even if they applied patches promptly. Threat actors are known to remove traces of their activities, making post-incident analysis critical. The cybersecurity center’s guidance includes changing all account passwords on the system, renewing private cryptographic keys, and closely monitoring internal network traffic for any signs of lateral movement by attackers.
This is not the first time Ivanti EPMM has been at the center of serious cyber incidents. In May 2025, CERT-EU reported on two other zero-day vulnerabilities in the platform that were actively exploited. Subsequent analyses linked that earlier attack campaign to a suspected China-nexus threat actor, which targeted a wide range of sectors including healthcare, telecommunications, and defense across multiple global regions.
The European Commission emphasized its commitment to system security, stating the investigation is ongoing and that it will take all necessary measures to protect its infrastructure. The rapid containment of this breach prevented more severe consequences, but it underscores the persistent and sophisticated threats facing major institutions. Organizations relying on similar mobile management solutions are urged to conduct thorough security reviews and adhere to the latest mitigation advice from cybersecurity authorities.
(Source: HelpNet Security)
