Executive Summary

In late January 2026, Dutch authorities, including the Dutch Data Protection Authority and the Council for the Judiciary, confirmed that a sophisticated cyberattack leveraging a zero-day exploit in Ivanti Endpoint Manager Mobile (EPMM) resulted in unauthorized access to employee contact data. This incident is part of a broader campaign targeting European governmental and critical infrastructure entities, with the European Commission and Finnish government systems also affected. The attackers exploited two critical, previously unknown vulnerabilities—CVE-2026-1281 and CVE-2026-1340—in Ivanti EPMM, enabling remote, unauthenticated code execution on unpatched servers. The rapid weaponization and exploitation of these vulnerabilities underscore the persistent threat posed by advanced actors targeting public-facing management platforms. Immediate patching, comprehensive log review, and architectural hardening are essential to mitigate ongoing risks.

Threat Actor Profile

Attribution for this campaign remains unconfirmed, with no specific Advanced Persistent Threat (APT) group publicly named. However, the operational tempo, targeting of government and critical infrastructure, and exploitation of zero-day vulnerabilities are consistent with state-sponsored or highly organized cybercriminal groups. The attackers demonstrated advanced reconnaissance capabilities, rapidly identifying and exploiting vulnerable Ivanti EPMM instances across multiple jurisdictions. The opportunistic nature of the campaign, combined with the lack of financial extortion or ransomware deployment, suggests a focus on intelligence gathering and persistent access rather than immediate financial gain. Historical context indicates that similar vulnerabilities in Ivanti products have previously been exploited by actors linked to espionage operations, notably in the 2023 attacks against Norwegian government agencies.

Technical Analysis of Malware/TTPs

The attack chain began with the identification of internet-exposed Ivanti EPMM servers. The attackers utilized specially crafted HTTP requests to exploit CVE-2026-1281 and CVE-2026-1340, both of which are remote code injection vulnerabilities. These flaws allow unauthenticated attackers to execute arbitrary commands on the underlying operating system of the EPMM server. Technical analysis by watchTowr Labs and eSentire indicates that the vulnerabilities stem from improper input validation in the EPMM web interface, enabling command injection via Bash shell constructs.

Upon successful exploitation, the attackers gained privileged access to the EPMM server environment. Post-exploitation activities included enumeration of local databases and extraction of sensitive employee contact information, such as names, business email addresses, and telephone numbers. There is no public evidence of malware deployment or lateral movement beyond the EPMM environment in the European Commission case, suggesting a focused data exfiltration objective.

The attack techniques map to several MITRE ATT&CK tactics and techniques: T1190 (Exploit Public-Facing Application) for initial access, T1055 (Process Injection) for code execution, T1005 (Data from Local System) for data collection, and T1041 (Exfiltration Over C2 Channel) for data exfiltration, though the latter is inferred from the nature of the breach rather than explicit forensic evidence.

Exploitation in the Wild

The vulnerabilities were publicly disclosed by Ivanti on January 29, 2026, but exploitation had already been observed in the wild prior to disclosure. The Dutch Data Protection Authority and the Council for the Judiciary reported unauthorized access to employee data on the same day as the vendor advisory. The European Commission detected traces of malicious activity on January 30, 2026, and contained the incident within nine hours, according to official statements.

Global scanning and exploitation were confirmed by Shadowserver, which identified at least 86 compromised Ivanti EPMM instances worldwide. National cybersecurity agencies in Canada, Singapore, and the United Kingdom issued emergency advisories, warning of active exploitation and urging immediate patching. The UK's NHS Digital National Cyber Security Operations Centre (CSOC) also reported related activity in healthcare networks. No evidence of lateral movement or compromise of managed mobile devices was found in the European Commission case, indicating that the attackers' objectives were limited to data accessible via the EPMM management interface.

Victimology and Targeting

The primary victims of this campaign are governmental and critical infrastructure organizations operating Ivanti EPMM servers exposed to the internet. Confirmed affected entities include the Dutch Data Protection Authority, the Council for the Judiciary, the European Commission, and Finnish government systems. Additional reports indicate targeting of healthcare, judiciary, and other public sector organizations in the United Kingdom, Canada, and Singapore.

The attackers focused on harvesting employee contact data, including names, business email addresses, and telephone numbers. While the exposed data is not classified as highly sensitive, its aggregation could facilitate further social engineering, phishing, or credential harvesting campaigns. The selection of targets and the nature of the data accessed suggest a preparatory phase for broader intelligence operations rather than immediate disruptive or destructive activity.

Mitigation and Countermeasures

Organizations operating Ivanti EPMM must take immediate action to mitigate the risk posed by CVE-2026-1281 and CVE-2026-1340. The following countermeasures are recommended:

All Ivanti EPMM servers should be patched without delay, applying the latest security updates provided by Ivanti. Patches must be reapplied after any product upgrades, as interim updates may not include permanent fixes. Administrators should conduct a comprehensive review of EPMM server logs, searching for indicators of exploitation such as anomalous HTTP requests, unexpected process execution, or unauthorized data access events. Internet exposure of EPMM management interfaces should be eliminated wherever possible; access should be restricted to trusted networks and protected by VPNs or robust access controls. Organizations should monitor advisories from Ivanti and national cybersecurity agencies for further updates, as the patching process has been fragmented and may require multiple iterations. In the event of suspected compromise, affected systems should be isolated, credentials reset, and a full incident response process initiated, including forensic analysis and notification of relevant authorities.

Long-term, organizations should consider architectural changes to minimize the attack surface of management platforms, implement network segmentation, and adopt a zero-trust approach to privileged access.

References

BleepingComputer: European Commission discloses breach that exposed staff data

The Record: EU, Dutch government announce hacks via Ivanti zero-days

CyberScoop: Fallout from latest Ivanti zero-days

eSentire Security Advisory: Ivanti Zero-Day Vulnerabilities CVE-2026-1281, CVE-2026-1340 Disclosed

Ivanti Security Advisory: Security Advisory: Ivanti Endpoint Manager Mobile EPMM CVE-2026-1281, CVE-2026-1340

NVD: CVE-2026-1281

NVD: CVE-2026-1340

watchTowr Labs: Ivanti EPMM Pre-Auth RCEs CVE-2026-1281, CVE-2026-1340

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced analytics and automation capabilities empower security teams to identify vulnerabilities, prioritize remediation, and ensure compliance with evolving regulatory requirements. For more information about how Rescana can help your organization strengthen its cyber resilience, please contact us at ops@rescana.com.