Dutch authorities confirm attackers exploited Ivanti EPMM zero-day vulnerabilities to access government employee contact information, revealing broader impacts across European agencies and highlighting critical patching urgency.
The Dutch Data Protection Authority (AP) and Council for the Judiciary (Rvdr) have confirmed their systems were compromised through actively exploited zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Attackers accessed sensitive employee data including names, business email addresses, and phone numbers.
This breach announcement follows similar disclosures from the European Commission and Finland's state IT provider Valtori, where attackers exploited the same critical Ivanti flaws (CVE-2026-1281 and CVE-2026-1340) to access government employee information. The coordinated attacks impacted thousands across Europe, with Finland alone reporting exposure of work details for up to 50,000 employees.
The Technical Breakdown
Both vulnerabilities carry CVSS 9.8 severity scores and enable unauthenticated remote code execution (RCE) on vulnerable Ivanti EPMM systems. According to Ivanti's advisory, attackers gained access to "information used in operating the service," including device details alongside personal employee data.
A critical discovery during forensic investigations revealed that Ivanti's management system didn't permanently delete removed data—it merely marked records as deleted. This means historical device and user information from all organizations that ever used the service remained accessible to attackers.
Benjamin Harris, CEO of security firm watchTowr, emphasized the sophistication behind these attacks: "This isn't random opportunism but a highly skilled, well-resourced actor executing a precision campaign. Attackers are targeting your most trusted, deeply embedded enterprise systems. Anything assumed 'internal' or 'safe' should now be viewed with suspicion."
Immediate Action Steps
- Patch Urgently: Apply Ivanti's January 29 security updates immediately if using EPMM. Unpatched systems remain vulnerable to exploitation.
- Forensic Audit: Investigate systems for IOC patterns documented in Ivanti's threat guidance. Focus on unexpected system changes between January 10-29.
- Data Deletion Verification: Audit data lifecycle processes. Confirm sensitive records are irreversibly purged—not just marked as deleted.
- Assume Compromise: Monitor all accounts and systems accessible through EPMM. Reset credentials for potentially exposed employees.
- Segment Critical Systems: Isolate mobile device management infrastructure from core networks to contain future breaches.
Harris stresses operational resilience: "What differentiates minor headaches from full-blown crises is speed: how quickly teams identify anomalies, validate weaknesses, and contain damage."
The Dutch AP stated it's working with national cybersecurity authorities on mitigation, while the European Commission confirmed containment within nine hours of detection. Organizations using Ivanti EPMM should prioritize these vulnerabilities—evidence shows attackers move rapidly once zero-days become public.
Comments
Please log in or register to join the discussion