Ivanti had warned about two critical zero-day vulnerabilities in EPMM that allowed remote code execution without authentication, which attackers subsequently exploited.

Related notifications from NCSC and Dutch authorities highlight similar vulnerabilities and data exposure in related breaches.

The European Commission detected traces of a cyberattack on its mobile device management infrastructure around 30 January, with some staff names and mobile numbers potentially exposed, though no device Compromise was confirmed.

CERT-EU helped contain the breach within nine hours, and authorities emphasize that while some personnel data may have been exposed, no mobile-device compromises were detected.

A cluster of attacks this year on European institutions appears linked to exploiting Ivanti’s Endpoint Manager Mobile (EPMM) flaws, including previous Dutch data breaches where EPMM vulnerabilities were used.

Dutch authorities confirmed that breaches, attributed to Ivanti EPMM vulnerabilities, granted attackers access to employee names, business email addresses, and telephone numbers.

The Data Protection Authority and the Council for the Judiciary in the Netherlands disclosed that attackers exploited Ivanti EPMM flaws to reach systems and employee data last week.

While staff mobile devices were not compromised and containment occurred within about nine hours, the incident underscores persistent exposure risk.

A spokesperson for the European Commission did not comment on the incident at the time of reporting.

Security experts note Ivanti is releasing patches, but upgrading to newer software versions creates fragmentation in remediation, leaving some customers at ongoing risk until a broader update arrives.

The event unfolds amid broader European cybersecurity policy developments, including a proposed overhaul of EU cybersecurity laws announced in mid-January.

Ivanti had patched a known flaw (CVE-2025-10573) late last year; two new vulnerabilities (CVE-2026-1281 and CVE-2026-1340) disclosed on 29 January 2026 enable remote code execution on unpatched devices without authentication.