Ivanti Zero-Day Breach Hits European Governments

A coordinated cyber campaign has compromised several European government bodies, potentially exposing the personal data of tens of thousands of mobile device users. The breaches, first reported in early February, impacted the European Commission, the Finnish government, and multiple Dutch agencies. While only Dutch authorities officially named the exploited platform, the timing strongly suggests all incidents are linked to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), a system previously targeted by suspected state-sponsored actors.

The European Commission confirmed its central mobile device management infrastructure showed signs of intrusion on January 30. Officials stated the breach may have allowed access to staff names and mobile phone numbers. The organization claimed its rapid response contained the incident within nine hours, adding that no actual mobile devices were compromised. On the same day, Dutch authorities detailed a similar breach affecting the Council for the Judiciary and the Dutch Data Protection Authority. A letter to parliament revealed the country’s National Cyber Security Centre received notification from Ivanti about EPMM vulnerabilities on January 29. Unauthorized persons accessed work-related data including employee names, business email addresses, and telephone numbers.

Finland’s government ICT centre, Valtori, also reported discovering a breach on January 30 affecting its mobile device management service. The attacker accessed operational information such as names, work email addresses, phone numbers, and device details. Valtori noted this data could not reveal a user’s precise location and confirmed information stored directly on mobile devices remained safe. The scale in Finland is significant, with as many as 50,000 government workers potentially affected, nearly two-thirds of the country’s central government employees.

These incidents follow Ivanti’s release of patches for two critical zero-day flaws in EPMM on January 29. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, are code injection flaws that allow unauthenticated remote code execution. The company acknowledged awareness of a very limited number of customer systems being exploited at the time of disclosure. Security experts warn the stolen information creates a foundation for dangerous follow-on attacks. Threat actors could use the compromised data to launch sophisticated spearphishing campaigns against government officials, a tactic that has grown in popularity for establishing persistent surveillance of government activity.

Attacks on foundational device management systems carry disproportionate risk even when the initial data exposure seems limited. The ability to exploit these flaws without authentication fundamentally changes the response required from organizations. Applying patches addresses the technical vulnerability but does not automatically restore trust in the system. Once a privileged control plane like EPMM is breached, organizations must comprehensively reassess associated credentials, cryptographic keys, and administrative permissions. The security objective shifts from merely removing a flaw to reestablishing confidence in how access is granted and exercised across the network.

If a threat actor gains access to an EPMM server, the potential for damage extends far beyond data theft. Attackers could push malicious configuration changes to enrolled devices, alter critical authentication settings, or manipulate device certificates to enable broader network infiltration. An important consideration is that EPMM is typically deployed on-premises or in customer-managed private cloud environments. This deployment model actually provides security teams with more direct control than many software-as-a-service platforms. With proper architecture and stringent access controls, organizations can materially reduce their exposure and effectively limit the blast radius of any future compromise.

(Source: InfoSecurity Magazine)