Critical flaws in Ivanti's EPMM service impacted multiple government agencies

Cybercriminals exploited two critical code-injection vulnerabilities in Ivanti’s Endpoint Manager Mobile to target several European government agencies, including the Dutch Data Protection Authority and the Council for the Judiciary.

The two Dutch government agencies said in the country’s parliament on Friday that cyber criminals exploited a major vulnerability in Ivanti’s mobile security and management software to access employees’ names, business email addresses and telephone numbers.

The two agencies said they acted quickly to mitigate the impact of the cyber attack, alerted their employees and notified the National Cyber Security Centre. "The CIO for the National Government is coordinating the assessment of whether there is a broader impact within the central government," they said.

The two critical security vulnerabilities in Ivanti’s Endpoint Manager Mobile, assigned CVE-2026-1281 & CVE-2026-1340, let attackers perform remote code execution without authentication. Both the vulnerabilities are rated 9.8 on the CVSS score, and the U.S. Cybersecurity and Infrastructure Security Agency has added the former to it’s Known Exploited Vulnerabilities (KEV) Catalog. 

According to NHS Digital, Ivanti’s EPMM, being internet-facing by design, is a "highly attractive target" for cyber criminals and similar edge devices are routinely and rapidly exploited by criminals in increasing numbers. NHS Digital strongly recommended organisations to apply patches to their edge devices to prevent exploitation of critical vulnerabilities. 

Valtori, the Finnish government’s ICT centre, said on February 5 that unknown attackers exploited a critical vulnerability in a mobile device management service to access data associated with about 50,000 Finnish government employees.

"Investigations have shown that the management system did not permanently delete removed data but only marked it as deleted. As a result, device and user data belonging to all organizations that have used the service during its lifecycle may have been compromised," the agency said. The exposed information included users’ names, work email addresses, phone numbers, and device details.