In recent weeks, several European public bodies have confirmed that they suffered computer intrusions linked to security failures in a mobile device management tool. These include the Netherlands Data Protection Authority (Autoriteit Persoonsgegevens, AP) and the Counsellor for the Dutch Administration of Justice, who notified Parliament that their systems were compromised after taking advantage of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
Ivanti EPMM is a platform designed to manage mobile terminals, applications and corporate content, and is usually used to ensure policies, deploy applications and manage device inventories. When a tool with this level of control is exposed, not only does the individual equipment, but also the operational information associated with the service administration. It is precisely that risk that the recent incidents have demonstrated: in several cases the attackers achieved data on the operation of the service and on the employees themselves, including names, professional posts and telephone numbers.
The European Commission also reported similar findings in its central mobile management infrastructure, where "traces" of an access attempt were detected that could have made it possible to collect names and mobile numbers from its staff. According to the institution, the episode was contained in less than nine hours and there are no compromised mobile devices, although the research continues. The Commission's official note is available at communicated.
For its part, Finland made public a data gap in which the State information technology provider, Valtori he explained that up to 50,000 public employees could have seen his work information exposed. Valtori attributed the incident to the exploitation of a zero- day vulnerability in the device management service and claimed to have applied the patch on the same day that Ivanti published the corrections.
Ivanti published solutions for two identified failures such as CVE-2026-1281 and CVE-2026-1340, both with very high CVSS scores (9.8), which allow remote code execution without authentication. The company also recognized that these vulnerabilities were already being exploited in nature as zerodays. For those who want to contrast technical information, the public vulnerability records provide the corresponding data sheets in the national vulnerability database: CVE-2026-1281 and CVE-2026-1340, and Ivanti herself keeps a section with security notices on her official website ( Ivanti Security Advisories).
A worrying detail that the investigations have revealed is that the management system apparently did not permanently delete some information when it was deleted: it marked data as deleted but actually retained them. This amplifies the scope of the incident, because data from organizations that used the service over time could have been made accessible. In addition, in corporate environments the same device may have been used by several people, which further complicates the accounting of the exposure.
These situations are not just a technical problem: their consequences include risks of supplanting, targeted phishing and threats to the privacy of judges, officials and public employees. When names, working posts and phone numbers are filtered, attackers have very valuable material to create convincing social engineering campaigns. In addition, the impact of management systems implies the possibility of deeper subsequent access if it is not acted on quickly and transparently.
The usual response agenda is to apply patches immediately, to audit access, to force the re-establishment of credentials when necessary and to review multi-factor authentication controls. It is also key to investigate whether other data types have been exfiltered, to assess the persistence of the attacker and to notify the competent authorities and those concerned, in accordance with the legal obligations of each country. In the Dutch case, information on communication with Parliament and initial measures is contained in the official document mentioned above.
From a broader perspective, these incidents once again put on the table the importance of managing risks in the digital supply chain. Many organizations delegate critical functions to external suppliers and management tools that, if they contain exploitable vulnerabilities, transform a single weak point into a vector with cross-cutting impact. Monitoring of patches, network segmentation, continuous monitoring and clear security agreements with suppliers are practices that should be strengthened after such events.
For those who want to deepen: the Netherlands National Cybersecurity Centre (NCSC) is usually the first actor to coordinate responses to such alerts at national level, and publishes useful guides and warnings for administrations and companies. Its English-language website contains practical guidance resources on incident management. In parallel, the official notes of the bodies concerned - such as those of the European Commission, the Dutch Government and Valtori - provide transparency on the scope, timing and measures taken.
In short, we are facing a strong reminder that tools that manage devices and data in corporate and government environments should receive the same security attention as systems that store critical information. The speed and clarity of communication with employees and citizens are today the first line of defense against leaks that, although in many cases do not compromise final devices, can undermine public confidence and facilitate subsequent attacks.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...