Skip to Content

European Agencies Hit by Zero‑Day Attacks Exploiting Ivanti Endpoint Manager Mobile

Dutch Data Protection Authority, EU Commission and Finland's Valtori suffered data breaches after attackers exploited critical Ivanti Endpoint Manager Mobile zero‑day flaws (CVE‑2026‑1281, CVE‑2026‑1340).
10 February 2026 by
TechStora Editorial Board

Background

In early 2026, multiple European public‑sector organisations reported cyber‑intrusions that leveraged newly disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), a mobile device management (MDM) solution used to control smartphones, apps and data.

Affected Agencies

The incidents involved:

  • The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr).
  • The European Commission’s central mobile‑device infrastructure.
  • Finland’s state ICT provider Valtori, which manages government employee devices.

Technical Details of the Vulnerabilities

Ivanti released patches on 29 January 2026 for two critical flaws:

  • CVE‑2026‑1281 – Remote code execution (RCE) with a CVSS score of 9.8.
  • CVE‑2026‑1340 – Unauthenticated RCE, also rated 9.8.

Both were exploited as zero‑day attacks, allowing threat actors to execute code on the MDM server without authentication and gain unrestricted access to stored device and user data.

Impact on Data

Compromised information included:

  • Names, business email addresses and telephone numbers of agency employees.
  • Device identifiers and usage details.
  • Historical data that had been “soft‑deleted” but not permanently removed, potentially exposing records from the entire service lifecycle.

In the Dutch case, work‑related data of AP staff were accessed. The European Commission detected traces of the attack but contained it within nine hours, reporting no direct compromise of mobile devices. Valtori disclosed that up to 50,000 Finnish government employees could be affected.

Response and Mitigation

All three organisations took immediate steps:

  • Applied Ivanti’s security patches on 29 January 2026.
  • Notified national cybersecurity authorities (e.g., the Dutch NCSC).
  • Conducted forensic investigations, with the EU Commission monitoring the situation for nine hours.
  • Reviewed data‑deletion processes to ensure permanent removal of obsolete records.

Ivanti also issued guidance on hardening EPMM deployments and recommended regular patch cycles.

Lessons Learned

The series of breaches highlights several key takeaways for organisations relying on MDM solutions:

  • Zero‑day vulnerabilities can be weaponised within days of discovery; rapid patch deployment is essential.
  • Data retention policies must include secure, irreversible deletion mechanisms.
  • Continuous monitoring for anomalous activity can limit exposure time, as demonstrated by the EU Commission’s nine‑hour containment.
  • Collaboration between vendors, national CSIRTs and affected agencies accelerates incident response.

Experts from Wiz stress that AI‑driven, context‑aware forensics can accelerate cloud investigations, providing clearer insight into breach timelines and attacker tactics.