Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data
In a recent cybersecurity incident, the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) have disclosed that their systems were compromised through cyberattacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). This revelation was communicated to the Dutch parliament on February 10, 2026.
EPMM is a critical tool used for managing mobile devices, applications, and content, ensuring their security within organizational infrastructures. On January 29, 2026, the National Cyber Security Center (NCSC) was alerted by Ivanti about specific vulnerabilities within EPMM. Subsequent investigations confirmed that unauthorized individuals accessed work-related data of AP employees, including names, business email addresses, and telephone numbers.
This breach is part of a broader pattern of cyberattacks targeting European institutions. The European Commission also reported detecting traces of a cyberattack on its central mobile device management infrastructure. While the incident was contained within nine hours, there is a possibility that attackers accessed the names and mobile numbers of some staff members. The Commission emphasized its commitment to monitoring the situation and implementing necessary measures to secure its systems.
Similarly, Finland’s state information and communications technology provider, Valtori, disclosed a breach affecting up to 50,000 government employees. Identified on January 30, 2026, this incident exploited a zero-day vulnerability in the mobile device management service. Valtori promptly applied a corrective patch on January 29, 2026, coinciding with Ivanti’s release of fixes for vulnerabilities CVE-2026-1281 and CVE-2026-1340, both carrying a CVSS score of 9.8. These vulnerabilities could allow attackers to achieve unauthenticated remote code execution.
Ivanti has acknowledged that these vulnerabilities were exploited as zero-days, affecting a limited number of customers. However, the company has not provided an updated count of affected entities. The attackers reportedly accessed operational information, including names, work email addresses, phone numbers, and device details. Investigations revealed that the management system did not permanently delete removed data but merely marked it as deleted. Consequently, device and user data from all organizations that have used the service during its lifecycle may have been compromised. In some cases, a single mobile device may have multiple users, further complicating the breach’s impact.
Benjamin Harris, CEO of watchTowr, commented on the nature of these attacks, stating that they are not random but rather the work of a highly skilled, well-resourced actor executing a precision campaign. He emphasized that attackers are targeting deeply embedded enterprise systems, urging organizations to view even their most trusted internal systems with suspicion. Harris highlighted the importance of resilience alongside prevention, noting that the speed at which teams identify anomalies, validate weaknesses, and contain damage differentiates minor incidents from full-blown crises.
This series of incidents underscores the critical need for organizations to remain vigilant and proactive in their cybersecurity measures. Regular updates, comprehensive monitoring, and swift response strategies are essential to mitigate the risks associated with such sophisticated cyber threats.
