Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

BREAKING: Ivanti EPMM Zero-Day Flaw Sparks Massive Data Breach Across European Government Agencies

In a shocking turn of events, multiple European government agencies have fallen victim to a sophisticated cyber attack exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The breach, which has sent shockwaves through the cybersecurity community, has exposed sensitive work-related data of thousands of government employees, raising serious concerns about the security of enterprise systems worldwide.

The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) were among the first to confirm the breach, revealing that unauthorized actors had accessed employee names, business email addresses, and telephone numbers. The attack, which targeted the EPMM platform used to manage mobile devices, apps, and content, has left Dutch authorities scrambling to contain the fallout.

In a letter sent to the country’s parliament, Dutch officials disclosed that the National Cyber Security Center (NCSC) was alerted to the vulnerabilities by the supplier on January 29, 2026. The timing of the breach is particularly concerning, as it occurred just days after Ivanti released patches for two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, both of which were assigned a CVSS score of 9.8.

But the Dutch agencies weren’t the only ones affected. The European Commission also confirmed that its central infrastructure managing mobile devices had identified traces of a cyber attack. While the Commission stated that the incident was contained within nine hours and no mobile devices were compromised, the breach still exposed the names and mobile numbers of some staff members.

The Finnish government was also hit hard by the attack. Valtori, the state information and communications technology provider, disclosed a breach that exposed work-related details of up to 50,000 government employees. The incident, identified on January 30, 2026, targeted a zero-day vulnerability in the mobile device management service. Valtori installed the corrective patch on January 29, 2026, the same day Ivanti released the fixes, but the damage had already been done.

Ivanti has acknowledged that the vulnerabilities were exploited as zero-days, but the company has been tight-lipped about the extent of the damage. In a statement, Ivanti admitted that a “very limited number of customers” were exploited, but it has not provided an updated victim count. This lack of transparency has only fueled speculation about the true scale of the breach.

Cybersecurity experts are warning that the attacks are not acts of random opportunism but rather the work of a “highly skilled, well-resourced actor executing a precision campaign.” Benjamin Harris, CEO of watchTowr, told The Hacker News in an emailed statement that attackers are targeting deeply embedded enterprise systems, and anything assumed to be “internal” or “safe” should now be viewed with suspicion.

The campaign targeting European government institutions coincides with the discovery of what appears to be a coordinated activity targeting EPMM instances to upload a dormant payload following the exploitation of CVE-2026-1281 and CVE-2026-1340. The main responsibility of the loader is to receive, load, and execute a second Java class delivered via HTTP.

“This campaign deployed a dormant in-memory Java class loader to /mifs/403.jsp – a somewhat lesser common web shell path,” said Defused Cyber, a cybersecurity firm. “The implant can only be activated with a specific trigger parameter, and no follow-on exploitation has yet been observed. This is suggestive of initial access broker (IAB) tradecraft: gain a foothold, then sell or hand off access later.”

The implications of this breach are staggering. With sensitive government data now in the hands of unknown actors, the potential for further exploitation is immense. The attack has also raised serious questions about the security of enterprise systems and the ability of organizations to protect themselves against sophisticated cyber threats.

As the investigation into the breach continues, one thing is clear: the attackers are not done yet. With a dormant payload now in place, the potential for future attacks is very real. Organizations using Ivanti EPMM are being urged to patch their systems immediately and remain vigilant for any signs of compromise.

In the wake of this breach, the cybersecurity community is calling for greater transparency from vendors like Ivanti and more robust security measures to protect against zero-day vulnerabilities. The stakes have never been higher, and the need for action has never been more urgent.

Tags: Ivanti EPMM, zero-day vulnerability, data breach, European government agencies, cybersecurity, mobile device management, CVE-2026-1281, CVE-2026-1340, watchTowr, Defused Cyber, initial access broker, enterprise systems, Dutch Data Protection Authority, Council for the Judiciary, European Commission, Valtori, National Cyber Security Center, cyber attack, remote code execution, Java class loader, web shell, dormant payload, follow-on exploitation, security patches, CVSS score, highly skilled actor, precision campaign, containment, mobile devices, work-related data, employee information, names, email addresses, telephone numbers, device details, deleted data, marked as deleted, organizations, lifecycle, mobile device, multiple users, resilience, prevention, anomalies, weaknesses, damage, containment, investigation, transparency, vendors, security measures, zero-day vulnerabilities, urgent action.

Viral Sentences:

• “The attackers are not done yet. With a dormant payload now in place, the potential for future attacks is very real.”
• “This is suggestive of initial access broker (IAB) tradecraft: gain a foothold, then sell or hand off access later.”
• “Attackers are targeting your most trusted, deeply embedded enterprise systems.”
• “Anything assumed to be ‘internal’ or ‘safe’ should now be viewed with suspicion.”
• “The stakes have never been higher, and the need for action has never been more urgent.”
• “The implications of this breach are staggering. With sensitive government data now in the hands of unknown actors, the potential for further exploitation is immense.”
• “The campaign targeting European government institutions coincides with the discovery of what appears to be a coordinated activity targeting EPMM instances.”
• “The attack has also raised serious questions about the security of enterprise systems and the ability of organizations to protect themselves against sophisticated cyber threats.”
• “Organizations using Ivanti EPMM are being urged to patch their systems immediately and remain vigilant for any signs of compromise.”
• “The cybersecurity community is calling for greater transparency from vendors like Ivanti and more robust security measures to protect against zero-day vulnerabilities.”

,