Ivanti Data Breach Hits Dutch Data Watchdog and Judiciary

What Happened in the Breach

A newly disclosed pair of critical vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) platform enabled attackers to gain unauthorised access to mobile‑device management servers used by the Netherlands’ Autoriteit Persoonsgegevens (AP) and the Council for the Judiciary (Rvdr), exposing staff contact data. 

In a letter to parliament, State Secretary for Justice and Security Arno Rutte and State Secretary for the Interior Van Marum said the National Cyber Security Centre (NCSC‑NL) was notified of the flaws on 29 January 2026, and soon afterwards intrusions were detected that allowed attackers to view work‑related data such as staff names, business e‑mail addresses and telephone numbers. 

Officials emphasised that the attack targeted Ivanti’s on‑premises EPMM servers and did not compromise mobile devices or other core systems, yet the breach underscores the risks posed by unpatched edge‑device software. The same vulnerabilities were exploited around the same time against the European Commission and Finland’s government ICT centre Valtori, suggesting a wider campaign.

Timeline: From First Access to Latest Update

1. Mid Aug 2025: Later forensic work found evidence consistent with successful exploitation during summer 2025 that matched the January 2026 activity pattern.
   
2. Jan 28, 2026: Initial signals of exploitation attempts were observed, with success not confirmed at that point.
   
3. Jan 29, 2026: Ivanti disclosed two critical Ivanti EPMM vulnerabilities, CVE-2026-1281 and CVE-2026-1340, and released fixes, with confirmed in-the-wild exploitation reported.
   
4. Jan 29, 2026: Dutch government systems at the Dutch Data Protection Authority and the Council for the Judiciary were confirmed as impacted in reporting tied to the Ivanti EPMM exploitation timeline.
   
5. Jan 30, 2026: CERT-EU detected an intrusion affecting the European Commission’s mobile device management infrastructure, and public reporting described containment within about nine hours with potential exposure of staff names and mobile numbers.
   
6. Jan 30, 2026: Finland’s government ICT provider Valtori detected a breach in its mobile device management service affecting about 20,000 mobile device configuration and user data records.
   
7. Feb 6, 2026: Dutch state secretaries informed parliament that unauthorized parties viewed work-related employee contact data at the Dutch Data Protection Authority and the Council for the Judiciary, and follow-on investigation was noted.
   
8. Feb 12, 2026: NCSC-NL documented an updated Exploitation Detection RPM Package release in coordination with Ivanti.
   
9. Feb 23, 2026: Ivanti’s published analysis guidance showed a last-modified update timestamp on Feb 23, 2026.
   
10. Feb 27, 2026: The Dutch government issued a follow-up letter on additional findings across government use of Ivanti EPMM, and NCSC-NL published a consolidated case overview dated Feb 27, 2026.
    
11. As Of Feb 27, 2026: Public information continued to describe ongoing investigation activity with no final public attribution stated in official updates. 

What Data or Systems Were Affected

The attackers targeted Ivanti EPMM servers used to manage mobile devices for staff in the Dutch Data Protection Authority and the Council for the Judiciary. According to the Dutch government letter, unauthorised parties accessed work‑related data such as employee names, business e‑mail addresses and telephone numbers. Officials stressed that the intrusions did not compromise mobile devices themselves, nor did the attackers gain access to the content or communications on those devices. 

Similarly, Finland’s Valtori reported that attackers extracted device metadata and work contact details for up to 50,000 civil servants, while the European Commission noted that only staff names and mobile numbers may have been accessed. There is no evidence that sensitive personal data, payment information or classified information were obtained, but the incident still exposed the identities and contact points of numerous government employees across Europe.

Who Was Responsible (Confirmed vs Alleged)

No threat actor has been publicly attributed to the Dutch breaches. Ivanti said it is working with customers and security partners to investigate and described the number of exploited customers as very limited. The Dutch government has not identified a perpetrator and noted that investigations are ongoing. 

Security researchers suggested that the campaign was the work of a highly skilled, well‑resourced actor executing a precision campaign, but did not provide evidence tying it to a specific nation‑state or criminal group. 

Past exploitation of Ivanti EPMM zero‑days in 2025 was attributed by CERT‑EU to a suspected China‑nexus threat actor, and experts told Infosecurity Magazine that the new incidents may involve similar actors given the rapid exploitation and the targeting of government institutions. However, until law enforcement releases definitive findings, the identity and motive of the attackers remain unconfirmed.

How the Attack Worked

The breaches exploited two Ivanti EPMM vulnerabilities disclosed on 29 January 2026: CVE‑2026‑1281 and CVE‑2026‑1340. Both are code‑injection flaws rated 9.8 on the CVSS scale, allowing an unauthenticated attacker to execute arbitrary commands on vulnerable EPMM servers. Because EPMM servers are internet‑facing by design, they are attractive targets. Attackers reportedly uploaded a dormant Java class loader (a form of web shell) to /mifs/403.jsp, which remains inactive until triggered by a specific parameter. 

This technique suggests initial‑access broker tradecraft, whereby a threat actor compromises a system then sells or hands off access later. Once the EPMM server was compromised, the attackers accessed its database and extracted stored contact information. 

Investigations showed that the management system did not permanently delete removed data; instead it marked it as deleted, leaving legacy user and device records accessible. This design flaw meant that all organisations that had ever used the service could have some residual data exposed. 

The attack did not involve malware or ransomware, and there is no evidence that lateral movement into other networks occurred. However, security firms observed that some attackers attempted to deploy additional web shells and payloads on vulnerable servers to maintain persistence.

Impact and Risks for Customers

While the Dutch breaches only exposed staff contact details, the incident raises several risks. Attackers armed with names, work e‑mail addresses and phone numbers can craft spear‑phishing, vishing or impersonation scams, which may lead to credential theft or further intrusions. 

Infosecurity Magazine quoted experts warning that contact data can enable targeted social‑engineering campaigns against officials. The NCSC‑NL advised organisations to assume compromise, change passwords and renew private keys, because an attacker controlling an EPMM server could potentially push malicious configuration changes or manipulate device certificates. 

Finland’s Valtori noted that the system’s failure to permanently delete data may have exposed all users who had ever been registered, implying long‑tail privacy risks. Although there is no evidence of identity theft or fraud resulting from these exposures as of 23 February 2026, the potential for abuse persists.

Company Response and Customer Remediation

Ivanti released temporary mitigations on 29 January 2026 and full security patches a week later. It also distributed a detection script to help customers check for indicators of compromise and collaborated with NCSC‑NL to develop a hunting tool. The company urged all customers to apply updates immediately and said it was working closely with affected organisations.

In the Netherlands, the AP and Rvdr promptly notified affected employees and reported the incident to the AP’s data‑protection officer. The letter to parliament stated that the agencies took unspecified immediate measures once the breach was discovered and that employees were informed. The Rvdr filed a preliminary data‑breach notification with the AP, which will oversee regulatory follow‑up.

The Dutch National Cyber Security Centre (NCSC‑NL) advised all organisations using EPMM to assume their systems were compromised before patching and to reset passwords, renew keys and monitor internal traffic for lateral movement. Finland’s Valtori likewise advised users to renew credentials and emphasised that the breach did not reveal precise location data. The European Commission said its incident was contained within nine hours and that no mobile devices were compromised. It pledged to continue monitoring and take all necessary measures to secure its systems.

Government, Law Enforcement and Regulator Actions

The response has been led by national cyber agencies rather than law enforcement. The Dutch parliament was formally briefed by the State Secretaries for Justice and Security and the Interior, and the country’s NCSC is working with Ivanti and affected agencies to investigate and mitigate the attack. The AP, which normally investigates data breaches, is both a victim and regulator in this case; it has tasked its own data‑protection officer to handle the investigation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑1281 to its Known Exploited Vulnerabilities catalogue shortly after disclosure, signalling confirmed exploitation. Cyber agencies in Canada, Singapore and the United Kingdom issued similar alerts about active exploitation and urged organisations to apply patches. Finland’s CERT‑FI and Valtori, together with CERT‑EU, are investigating their respective breaches and have not yet announced enforcement actions. No arrests or threat actor identifications have been made as of this writing.

Financial, Legal and Business Impact

The incident did not involve financial data, and there have been no reports of monetary loss or service disruption at the Dutch agencies. However, the breach could expose the AP and Rvdr to General Data Protection Regulation (GDPR) obligations for notifying data subjects and regulators, potentially leading to fines or enforcement actions if negligence is found. 

Infosecurity Magazine noted that tens of thousands of users across Europe may have had personal details exposed, and privacy advocates have criticised the failure to permanently delete data on EPMM servers. For Ivanti, the wave of exploitation further damages its reputation after previous zero‑day incidents; CyberScoop observed that at least 19 Ivanti defects have been exploited in the past two years. 

The vulnerabilities have added to calls for stricter security testing of mobile‑device management products and may prompt enterprise customers to reassess their reliance on Ivanti. On the stock market, there has been no measurable impact reported as of February 2026, but ongoing investigations and potential litigation could change that.

What Remains Unclear About the Incident

Several critical details are still unknown. Investigators have not identified the initial access vector beyond the Ivanti vulnerabilities, nor have they determined how long the attackers dwelled within the EPMM servers before being detected. 

The exact number of staff affected at the AP and Rvdr has not been published; officials only indicated that all impacted individuals were notified. It is also unclear whether the attackers copied or exfiltrated the contact data for malicious use or simply enumerated it. No timeline has been given for the completion of forensic analysis, and neither law enforcement nor Ivanti has disclosed when they first learned of exploitation. 

Without these details, observers cannot assess whether the breach could have been prevented with earlier patching or detection. Finally, attribution remains speculative; while earlier Ivanti exploitation has been linked to a China‑nexus threat actor, no definitive evidence has surfaced for the January 2026 campaign.

Why This Incident Matters

The Dutch breaches are significant because they highlight the systemic risks posed by unpatched edge‑device management software in government networks. Ivanti’s EPMM platform is widely used to enforce mobile security policies for thousands of devices. 

The exploitation of critical zero‑day flaws in such software demonstrates how attackers can bypass authentication entirely and reach sensitive management systems. Although the data exposed were limited to contact information, the incident underscores how a compromise in a central management tool can affect multiple agencies and even regulators themselves. 

The cross‑border nature of the attacks, with simultaneous incidents in the Netherlands, Finland and the European Commission, also illustrates how quickly zero‑day exploits can be weaponised by unknown actors. For policymakers, the breach raises questions about vendor security assurance and the need for diversified mobile‑device management solutions. 

For organizations, it reinforces the importance of rapid patching, comprehensive logging and incident response preparedness. Ultimately, the Ivanti campaign serves as a warning that even seemingly low‑impact data exposures can pave the way for more damaging intrusions if left unaddressed.

Bright Defense: Mitigating Edge‑Device Vulnerabilities

The Ivanti zero‑day breaches show that attackers target mobile‑device management platforms to gain a foothold in government networks. Bright Defense helps organisations defend against these threats through penetration testing, web application testing and continuous compliance monitoring. 

Our experts simulate adversaries by testing edge devices and management consoles for injection flaws and unauthenticated access, identify misconfigurations, and provide actionable remediation guidance. Continuous compliance assessments ensure that critical patches, encryption keys and authentication settings remain up to date, closing gaps before threat actors can exploit them. 

Partnering with Bright Defense, agencies can reduce the risk of zero‑day exploitation and build resilience across their mobile and cloud infrastructure.

Sources

1. The Hacker News — “Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data” (Feb 10, 2026).
   https://thehackernews.com/2026/02/dutch-authorities-confirm-ivanti-zero.html
   
2. The Register — “Dutch data watchdog snitches on itself after getting caught in Ivanti zero-day attacks” (Feb 9, 2026).
   https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
   
3. The Record — “EU, Dutch government announce hacks following Ivanti zero-days” (Feb 9, 2026).
   https://therecord.media/eu-dutch-government-announce-hacks-ivanti-zero-days
   
4. Security Affairs — “Dutch agencies hit by Ivanti EPMM exploit exposing employee contact data” (Feb 10, 2026).
   https://securityaffairs.com/187806/security/dutch-agencies-hit-by-ivanti-epmm-exploit-exposing-employee-contact-data.html
   
5. Infosecurity Magazine — “European Governments Breached in Zero-Day Attacks Targeting Ivanti” (Feb 10, 2026).
   https://www.infosecurity-magazine.com/news/european-governments-zeroday/
   
6. BleepingComputer — “European Commission discloses breach that exposed staff data” (Feb 9, 2026).
   https://www.bleepingcomputer.com/news/security/european-commission-discloses-breach-that-exposed-staff-data/
   
7. Help Net Security — “European Commission hit by cyberattackers targeting mobile management platform” (Feb 9, 2026).
   https://www.helpnetsecurity.com/2026/02/09/european-commission-ivanti-epmm-vulnerabilities/
   
8. CyberScoop — “Fallout from latest Ivanti zero-days spreads to nearly 100 victims” (Feb 9, 2026).
   https://cyberscoop.com/ivanti-zero-day-vulnerabilities-netherlands-european-commission-shadowserver/
   
9. Infosecurity Magazine — Comments by security executives on the risks of exploiting mobile management systems and the need for credential renewal.
   https://www.infosecurity-magazine.com/news/european-governments-zeroday/