Dutch authorities have confirmed that recent cyber attacks exploiting zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) led to unauthorized access to employee contact information within government systems.
The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) revealed that their environments were affected after attackers abused newly disclosed flaws in Ivanti EPMM. The confirmation was shared in an official notice submitted to the Dutch parliament on Friday.
According to the statement, the National Cyber Security Center (NCSC) was alerted on January 29 after Ivanti disclosed the existence of critical vulnerabilities in EPMM. The platform is widely used to manage mobile devices, applications, content, and associated security controls.
Authorities have since confirmed that attackers accessed work related employee information, including names, official email addresses, and telephone numbers. No evidence has emerged suggesting misuse of the exposed data at this stage.
Broader Impact Across European Institutions
The disclosure follows similar findings by the European Commission, which reported that its centralized mobile device management infrastructure detected indicators of a cyber intrusion. The suspected breach may have allowed access to names and mobile phone numbers of some Commission staff.
The Commission stated that the incident was identified and contained within nine hours, emphasizing that no mobile devices themselves were compromised. Officials reiterated their commitment to maintaining strong internal security controls and confirmed that continuous monitoring remains in place.
While authorities have not officially named the vendor in all disclosures, investigators believe the incidents are connected to exploitation of vulnerabilities in Ivanti EPMM.
Finland Reports Large Scale Exposure Linked to Zero-Day Flaw
Finland’s government ICT provider, Valtori, also confirmed a security breach involving its mobile device management service. The incident, discovered on January 30, 2026, exposed work related details of up to 50,000 government employees.
Valtori stated that it applied corrective updates on January 29, 2026, the same day Ivanti released patches for CVE-2026-1281 and CVE-2026-1340. Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated remote code execution.
Ivanti has acknowledged that the flaws were actively exploited as zero-days, noting that a limited number of customers were impacted. However, the company has not disclosed an updated number of affected organizations.
Persistent Data and Elevated Risk
Investigators found that the affected management system did not permanently delete removed records, instead only flagging them as deleted. As a result, device and user data from all organizations that used the service during its operational lifetime may have been exposed. In some cases, multiple users were associated with a single mobile device.
Security researchers warn that such behavior significantly increases the scale and severity of potential data exposure.
Commenting on the attacks, watchTowr CEO Benjamin Harris described the activity as a highly targeted operation rather than opportunistic exploitation. He emphasized that attackers are increasingly focusing on trusted internal enterprise systems that organizations traditionally view as secure.
Harris added that resilience and rapid response are critical in minimizing damage, noting that the speed at which teams detect anomalies, validate weaknesses, and contain incidents often determines whether an attack becomes a minor disruption or a full scale crisis.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
