In early 2026, a critical security incident involving Ivanti Endpoint Manager Mobile (EPMM) was disclosed, where zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) were actively exploited by threat actors. These vulnerabilities allow unauthenticated remote code execution, enabling attackers to gain unauthorized access to the management infrastructure of mobile devices, applications, and content. The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) confirmed that their systems were compromised, resulting in unauthorized access to employee contact data including names, business email addresses, and telephone numbers. The European Commission also detected traces of a related cyber attack, which was contained within nine hours without device compromise. Finland’s state ICT provider, Valtori, reported a similar breach affecting up to 50,000 government employees. Investigations revealed that Ivanti’s EPMM system did not permanently delete removed data but only marked it as deleted, potentially exposing data from all organizations that used the service historically. The attacker is characterized as a highly skilled and well-resourced actor conducting precise, targeted campaigns against deeply embedded enterprise systems, exploiting the assumption that internal systems are secure. Ivanti released patches on January 29, 2026, the same day the vulnerabilities were publicly disclosed, but a limited number of customers were already exploited. The incident underscores the criticality of securing mobile device management platforms, rapid patch deployment, and comprehensive data lifecycle management to prevent data leakage and unauthorized access.

The exploitation of Ivanti EPMM zero-day vulnerabilities poses significant risks to European organizations, particularly government agencies and entities managing sensitive employee data. The unauthorized access to employee contact information can facilitate further social engineering, spear-phishing, and identity theft attacks. Exposure of operational data related to mobile device management systems undermines trust in internal IT infrastructure and may disrupt secure communications. The persistence of deleted data increases the risk of long-term data leakage beyond the initial breach window. For European organizations, especially those in critical public sectors, such breaches can lead to regulatory scrutiny under GDPR, reputational damage, and operational challenges in securing mobile endpoints. The incident also highlights supply chain risks associated with third-party management software, emphasizing the need for stringent vendor risk management. Given the targeting of multiple EU institutions and national agencies, the threat could have cascading effects on cross-border cooperation and data sharing within Europe.

European organizations using Ivanti EPMM should immediately verify the application of the January 29, 2026 security patches addressing CVE-2026-1281 and CVE-2026-1340. Beyond patching, organizations must conduct thorough audits of their mobile device management environments to identify unauthorized access or anomalous activity. It is critical to implement strict data retention and deletion policies ensuring that deleted data is permanently erased rather than merely marked as deleted. Organizations should enhance monitoring and alerting on their MDM platforms for unusual access patterns, especially unauthenticated remote code execution attempts. Network segmentation should be employed to isolate management systems from broader enterprise networks to limit lateral movement. Incident response plans must be updated to include rapid containment procedures for MDM-related breaches. Additionally, organizations should review and tighten access controls, enforce multi-factor authentication for management consoles, and conduct regular security assessments of third-party software. Sharing threat intelligence within European cybersecurity communities can aid in early detection of similar attacks.