Executive Summary

On January 30, 2026, the European Commission detected traces of a cyberattack targeting its central infrastructure responsible for managing staff mobile devices. The incident was contained and the affected system was cleaned within nine hours, with no evidence found of compromise to the mobile devices themselves. However, unauthorized access to staff names and mobile numbers of some Commission employees may have occurred. The attack is strongly linked to exploitation of two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM), a widely used mobile device management platform. These vulnerabilities allow remote, unauthenticated attackers to execute arbitrary code on unpatched EPMM servers. Similar attacks have been reported against Dutch government institutions, and global advisories have been issued by national security agencies. The incident underscores the ongoing risk posed by rapidly exploited vulnerabilities in internet-facing management platforms, particularly in government and critical infrastructure sectors. All findings in this report are based on direct evidence from primary sources, with all claims immediately cited.

Technical Information

The attack on the European Commission was detected on January 30, 2026, when CERT-EU, the central cybersecurity service for EU institutions, identified traces of unauthorized activity on the infrastructure managing mobile devices. The affected system is responsible for provisioning, securing, and managing mobile devices used by Commission staff. The incident was contained within nine hours, and forensic analysis found no evidence that the mobile devices themselves were compromised. However, the attackers may have accessed personal information, specifically staff names and mobile numbers, stored within the management platform (BleepingComputer, The Record, Computing.co.uk).

The technical vector for the attack is strongly linked to exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. Both vulnerabilities are code-injection flaws that allow remote attackers to execute arbitrary code on unpatched EPMM servers without authentication. These vulnerabilities were publicly disclosed by Ivanti on January 29, 2026, and were already being exploited in the wild at the time of disclosure (BleepingComputer, The Record, Computing.co.uk).

Ivanti Endpoint Manager Mobile (EPMM) is a mobile device management (MDM) solution used by enterprises and government agencies to control, secure, and enforce policies on mobile devices. The vulnerabilities in question allow attackers to send specially crafted requests to the EPMM web interface, resulting in arbitrary code execution on the server. This provides attackers with the ability to access sensitive data stored in the management system, manipulate device configurations, or potentially pivot to other internal resources. However, in the case of the European Commission, there is no evidence that attackers moved laterally or compromised managed devices.

The attack method aligns with the following MITRE ATT&CK techniques:

Initial Access (T1190: Exploit Public-Facing Application): Attackers exploited the EPMM web interface, which is internet-facing by design, to gain initial access. This is supported by direct evidence from vendor advisories and incident reports.

Execution (T1055: Code Injection): The vulnerabilities allowed attackers to execute arbitrary code on the EPMM server, as described in the CVE documentation and vendor advisories.

Collection (T1005: Data from Local System): Attackers accessed staff names and mobile numbers stored in the EPMM system, as confirmed by incident disclosures.

Exfiltration (T1041: Exfiltration Over C2 Channel): While data was accessed by unauthorized parties, the specific exfiltration method was not detailed in public disclosures. This is inferred with medium confidence.

No specific malware or post-exploitation tools were identified in the public disclosures. The attack relied on direct exploitation of the EPMM vulnerabilities for code execution, and all sources state there is no evidence of malware or device compromise (BleepingComputer).

The incident is part of a broader wave of attacks targeting government and critical infrastructure organizations using Ivanti EPMM. Similar breaches were reported by the Dutch Data Protection Authority and the Council for the Judiciary, where attackers accessed names, business email addresses, and telephone numbers of employees. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added one of the vulnerabilities to its Known Exploited Vulnerabilities Catalog, and national cyber agencies in Canada, Singapore, and the UK have issued warnings confirming active exploitation of these flaws (The Record).

No public attribution has been made for the attacks. The pattern of opportunistic exploitation, the targeting of government and critical infrastructure, and the rapid weaponization of newly disclosed vulnerabilities suggest the involvement of either state-backed or cybercriminal actors, but there is no direct technical evidence linking the campaign to a specific group. Similar vulnerabilities in Ivanti EPMM were exploited in 2023, when 12 Norwegian government agencies were breached, highlighting the persistent risk associated with mobile management platforms (The Record).

Patching for the vulnerabilities has been described as fragmented and complex, with different versions of Ivanti EPMM requiring different patches. This approach has left some customers at continued risk, and Ivanti is reportedly working on a more comprehensive update (Computing.co.uk).

Affected Versions & Timeline

The vulnerabilities exploited in this campaign are CVE-2026-1281 and CVE-2026-1340, both affecting Ivanti Endpoint Manager Mobile (EPMM). These are code-injection vulnerabilities that allow remote, unauthenticated code execution on unpatched EPMM servers.

The timeline of the incident is as follows: On January 29, 2026, Ivanti publicly disclosed the two critical vulnerabilities and issued patches. On January 30, 2026, the European Commission detected traces of a cyberattack on its mobile device management infrastructure. The incident was contained and the system cleaned within nine hours. Public disclosure and media reporting occurred on February 9, 2026 (BleepingComputer, The Record, Computing.co.uk).

Other affected organizations include the Dutch Data Protection Authority and the Council for the Judiciary, which confirmed exploitation of the same vulnerabilities and unauthorized access to employee data. The vulnerabilities are being actively weaponized against government and critical infrastructure sectors globally, as evidenced by advisories from the US, UK, Canada, and Singapore (The Record).

Threat Activity

The threat activity observed in this incident is characterized by rapid exploitation of newly disclosed zero-day vulnerabilities in Ivanti EPMM. Attackers scanned for internet-facing EPMM servers and exploited CVE-2026-1281 and CVE-2026-1340 to gain unauthenticated remote code execution. The primary objective appears to have been access to sensitive data stored in the management platform, specifically staff names and mobile numbers in the case of the European Commission.

No evidence was found of lateral movement, credential access, or compromise of managed mobile devices. The attack was contained quickly, and incident response teams found no signs of malware or post-exploitation tools. The campaign fits a pattern of opportunistic exploitation of edge device vulnerabilities, with government and critical infrastructure organizations as primary targets.

The vulnerabilities are being actively weaponized by multiple threat actors, as indicated by global advisories and the lack of public attribution. The attack surface is increased by the internet-facing nature of EPMM servers, which are designed to manage mobile devices remotely. The rapid exploitation of these vulnerabilities highlights the need for immediate patching and robust monitoring of management platforms (The Record, Computing.co.uk).

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediately apply all available security patches for Ivanti Endpoint Manager Mobile (EPMM), specifically those addressing CVE-2026-1281 and CVE-2026-1340. Organizations should treat all EPMM servers as potentially compromised if they were exposed to the internet and unpatched at the time of disclosure (BleepingComputer, The Record).

Critical: Conduct a comprehensive review of EPMM server logs for signs of exploitation, unauthorized access, or suspicious activity. If compromise is suspected, follow incident response procedures, including isolating affected systems and resetting credentials.

High: Restrict internet exposure of EPMM servers wherever possible. Place management interfaces behind VPNs or other secure access controls to reduce the attack surface.

High: Monitor for advisories and updates from Ivanti and relevant national cybersecurity agencies. Apply new patches and mitigations as they become available, as the patching process for EPMM has been described as fragmented and may require multiple updates for different versions (Computing.co.uk).

Medium: Review and update incident response plans to ensure rapid detection and containment of similar attacks. Ensure that staff are trained to recognize and report suspicious activity related to management platforms.

Medium: Assess the data stored within mobile device management platforms and minimize the retention of sensitive information where possible.

Low: Stay informed about emerging threats targeting mobile device management solutions and participate in information-sharing initiatives with sector peers.

References

https://www.bleepingcomputer.com/news/security/european-commission-discloses-breach-that-exposed-staff-data/ https://therecord.media/eu-dutch-government-announce-hacks-ivanti-zero-days https://www.computing.co.uk/news/2026/security/european-commission-breached

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and critical suppliers. Our platform supports the identification of vulnerabilities in supply chain technologies, facilitates rapid incident response coordination, and helps organizations maintain compliance with evolving regulatory requirements. For questions regarding this report or to discuss how Rescana can support your risk management efforts, please contact us at ops@rescana.com.