European Institutions Breached via Ivanti Endpoint Manager Mobile Vulnerabilities
The European Commission disclosed it is investigating a breach after detecting traces of an attack against its central mobile device management (MDM) infrastructure used to administer staff mobile devices. The Commission said the incident was contained and the system cleaned within nine hours, and it has not found evidence that managed mobile devices themselves were compromised; however, attackers may have accessed limited staff personal data such as names and mobile phone numbers.
The activity appears consistent with a broader set of intrusions affecting European public-sector bodies tied to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Dutch authorities reported that the Dutch Data Protection Authority and the Council for the Judiciary/Justice experienced nearly identical breaches in which unauthorized parties exploited an Ivanti EPMM software flaw to access employee data, including names, email addresses, and phone numbers, suggesting a shared exploitation vector across multiple European institutions’ MDM deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Dutch government publicly confirms AP and Judiciary breaches
Dutch authorities publicly confirmed that the Dutch Data Protection Authority and the Council for the Judiciary were hacked through Ivanti EPMM vulnerabilities. Officials said unauthorized parties viewed employee contact information while the investigation remained ongoing.
European Commission publicly discloses breach and ongoing investigation
The European Commission publicly confirmed the January 30 incident, saying it is investigating the attack with support from CERT-EU. It stated that only limited staff contact data may have been exposed and that monitoring and hardening efforts are continuing.
Finland's Valtori discloses EPMM-related breach affecting MDM service
Finland's government ICT provider Valtori disclosed a breach tied to exploitation of Ivanti EPMM zero-days in its mobile device management service. The incident potentially affected up to 50,000 users and may have exposed work-related and historical service data.
European Commission contains and cleans affected systems within nine hours
Following detection of the January 30 intrusion, the Commission isolated the affected management systems, removed malicious artifacts, and restored operations in roughly nine hours. Investigators said they found no evidence that managed mobile devices themselves were compromised.
European Commission detects intrusion in mobile device management infrastructure
On January 30, the European Commission detected signs of a cyberattack affecting the central infrastructure used to manage staff mobile devices. The intrusion may have exposed limited staff personal data, specifically names and mobile phone numbers.
Dutch authorities notify NCSC and take response measures
After the Dutch incidents were identified on January 29, authorities alerted the National Cyber Security Centre, informed affected employees, and began assessing broader impact across central government. The Dutch government also reported the matter to parliament while investigations continued.
Dutch agencies breached via Ivanti EPMM exploitation
On January 29, attackers exploited Ivanti EPMM vulnerabilities to access systems used by the Dutch Data Protection Authority and the Council for the Judiciary. The breach exposed employees' work-related contact data, including names, business email addresses, and phone numbers.
Ivanti discloses and patches two critical EPMM zero-days
Ivanti warned customers in late January about two critical unauthenticated code-injection flaws in Endpoint Manager Mobile, CVE-2026-1281 and CVE-2026-1340, and released fixes and detection guidance. The company said the vulnerabilities had been exploited as zero-days against a limited number of customers.
CISA adds Ivanti EPMM flaw CVE-2026-1281 to KEV catalog
CISA added CVE-2026-1281, a critical Ivanti Endpoint Manager Mobile vulnerability, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The move signaled that organizations should urgently remediate exposed EPMM systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
European Commission hit by cyberattack linked to Ivanti software flaws | SC Media
scworld.com
Open sourceDutch agencies hit by Ivanti EPMM exploit exposing employee contact data
securityaffairs.com
Open sourceDutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data
thehackernews.com
Open sourceEmergency patches advised after attacks on Ivanti EPMM devices | SC Media
scworld.com
Open sourceDutch data watchdog caught up in Ivanti zero-day attacks • The Register
go.theregister.com
Open sourceEuropean Commission discloses breach that exposed staff data
bleepingcomputer.com
Open sourceIvanti Zero-Days Likely Deployed in EU and Dutch Hacks
govinfosecurity.com
Open sourceSeveral Dutch agencies suffer major data breach - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti EPMM Zero-Day Exploitation Exposed Sensitive Government and Enterprise Data
Ivanti warned that two critical zero-day flaws in **Endpoint Manager Mobile (EPMM)** — `CVE-2026-1281` and `CVE-2026-1340` — were being actively exploited, and subsequent reporting described rapid mass exploitation after proof-of-concept code became public. The attacks hit internet-facing EPMM systems used to manage mobile devices, with incident responders documenting a fully automated intrusion chain that successfully exfiltrated sensitive EPMM data and leveraged lesser-known product behaviors alongside an open-source offensive framework. Germany's BSI also issued an alert on active attacks, underscoring the broad operational impact of the campaign. The exploitation wave affected both opportunistic victims and targeted organizations, including governments. Dutch authorities disclosed that attackers had maintained access to the Dutch Custodial Institutions Agency's EPMM server for about five months, exposing employee names, email addresses, phone numbers, and location data, with officials warning of elevated blackmail and extortion risks. Ivanti's earlier handling of **EPMM** flaws, including `CVE-2023-35082`, had already shown that internet-exposed deployments could enable unauthorized access to personally identifiable information, but the company separately clarified that a later May 2026 advisory for **Endpoint Manager (EPM)** — covering `CVE-2026-8109`, `CVE-2026-8110`, and `CVE-2026-8111` — involved a different product and was not tied to the EPMM zero-day exploitation.
May 25, 2026
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026
Critical Ivanti EPMM RCE Flaws Exploited to Compromise On-Premises Servers
Ivanti warned that its on-premises **Endpoint Manager Mobile (EPMM)** product contains two critical vulnerabilities, **`CVE-2026-1281`** and **`CVE-2026-1340`**, that can let an unauthenticated remote attacker execute arbitrary commands or code over the network. The flaws affect exposed EPMM servers and create a path to full server compromise and possible lateral movement into internal environments. Ivanti said its cloud offerings, including **Ivanti Neurons for MDM**, and the separate **Ivanti Endpoint Manager (EPM)** product are not affected, and it released patches, incident-response guidance, and a detection tool to help customers assess exposure and compromise. Follow-up advisories said the vulnerabilities are being **actively exploited**, prompting defenders to inspect EPMM systems for anomalous logs, unauthorized administrator-account changes, and suspicious device-configuration modifications. A later update citing Germany's **BSI** said exploitation may date back to **summer 2025**, expanding the scope of required forensic review beyond recent activity. Public reporting from security researchers, including Palo Alto Networks Unit 42 and vulnerability tracking sources, reinforced that the issue is an unauthenticated remote code execution risk requiring immediate patching and retrospective compromise hunting on affected on-premises deployments.
May 25, 2026