Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

Data Breach Impact

The Netherlands' Dutch Data Protection Authority (AP) and the Council for the Judiciary have disclosed that their systems were compromised in cyber attacks exploiting recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM).

According to a notice sent to the country's parliament, the National Cyber Security Center (NCSC) was informed by the supplier about vulnerabilities in EPMM on January 29. The software is used to manage mobile devices, apps, and content, including their security.

Scope of the Breach

Work-related data of AP employees has been accessed by unauthorized persons, including:

- Names
- Business email addresses
- Telephone numbers

The European Commission also revealed that its central infrastructure managing mobile devices "identified traces" of a cyber attack that may have resulted in access to names and mobile numbers of some staff members. The incident was contained within nine hours, with no compromise of mobile devices detected.

Finland Also Affected

Finland's state information and communications technology provider, Valtori, disclosed a breach that exposed work-related details of up to 50,000 government employees. The incident, identified on January 30, 2026, targeted a zero-day vulnerability in the mobile device management service.

The agency installed the corrective patch on January 29, 2026, the same day Ivanti released fixes for CVE-2026-1281 and CVE-2026-1340 (CVSS scores: 9.8), which could be exploited by an attacker to achieve unauthenticated remote code execution.

Investigation Findings

Investigations revealed that the management system did not permanently delete removed data but only marked it as deleted. As a result, device and user data belonging to all organizations that have used the service during its lifecycle may have been compromised.

Expert Analysis

watchTowr CEO Benjamin Harris stated that the attacks are not acts of random opportunism, but rather the work of a "highly skilled, well-resourced actor executing a precision campaign."

"Attackers are targeting your most trusted, deeply embedded enterprise systems. Anything assumed to be 'internal' or 'safe' should now be viewed with suspicion," Harris said.

He emphasized that resilience is as important as prevention, especially when attackers move fast and operate with surgical precision. What differentiates minor headaches from full-blown crises is speed: how quickly teams identify anomalies, validate weaknesses, and contain the damage.

Source: The Hacker News: Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data