The Netherlands’ Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country’s parliament on Friday.
“On January 29, the National Cyber Security Center (NCSC) was informed by the supplier of vulnerabilities in EPMM,” the Dutch authorities said. “EPMM is used to manage mobile devices, apps, and content, including their security.”
“It is now known that work-related data of AP employees, such as names, business email addresses, and telephone numbers, have been accessed by unauthorized persons.”
The development comes as the European Commission also revealed that its central infrastructure managing mobile devices “identified traces” of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. The Commission said the incident was contained within nine hours, and that no compromise of mobile devices was detected.
“The Commission takes seriously the security and resilience of its internal systems and data and will continue to monitor the situation,” it added. “It will take all necessary measures to ensure the security of its systems.”
Although the name of the vendor was specified and no details were shared on how the attackers managed to gain access, it’s suspected to be linked to malicious activity exploiting flaws in Ivanti EPMM.
Finland’s state information and communications technology provider, Valtori, also disclosed a breach that exposed work-related details of up to 50,000 government employees. The incident, identified on January 30, 2026, targeted a zero-day vulnerability in the mobile device management service.
The agency said it installed the corrective patch on January 29, 2026, the same day Ivanti released fixes for CVE-2026-1281 and CVE-2026-1340 (CVSS scores: 9.8), which could be exploited by an attacker to achieve unauthenticated remote code execution.
Ivanti has acknowledged that the vulnerabilities have been exploited as zero-days, and that a “very limited number of customers” were exploited, but it has not provided an updated victim count.
The attacker is said to have gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details.
“Investigations have shown that the management system did not permanently delete removed data but only marked it as deleted,” it said “As a result, device and user data belonging to all organizations that have used the service during its lifecycle may have been compromised. In certain cases, a single mobile device may have multiple users.”
watchTowr CEO Benjamin Harris told The Hacker News in an emailed statement that the attacks are not acts of random opportunism, but rather the work of a “highly skilled, well-resourced actor executing a precision campaign.”
“Attackers are targeting your most trusted, deeply embedded enterprise systems. Anything assumed to be ‘internal’ or ‘safe’ should now be viewed with suspicion,” Harris said.
“Resilience is as important as prevention, especially when attackers move fast and operate with surgical precision. What differentiates minor headaches from full-blown crises is speed: how quickly teams identify anomalies, validate weaknesses, and contain the damage.”
The campaign targeting European government institutions coincides with the discovery of what appears to be a coordinated activity targeting EPMM instances to upload a dormant payload following the exploitation of CVE-2026-1281 and CVE-2026-1340, creating a pathway for future attacks. The main responsibility of the loader is to receive, load, and execute a second Java class delivered via HTTP.
“This campaign deployed a dormant in-memory Java class loader to /mifs/403.jsp – a somewhat lesser common web shell path,” the company said. “The implant can only be activated with a specific trigger parameter, and no follow-on exploitation has yet been observed. This is suggestive of initial access broker (IAB) tradecraft: gain a foothold, then sell or hand off access later.”
