The Netherlands’ Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country’s parliament on Friday.
“On January 29, the National Cyber Security Center (NCSC) was informed by the supplier of vulnerabilities in EPMM,” the Dutch authorities said. “EPMM is used to manage mobile devices, apps, and content, including their security.”
“It is now known that work-related data of AP employees, such as names, business email addresses, and telephone numbers, have been accessed by unauthorized persons.”
The development comes as the European Commission also revealed that its central infrastructure managing mobile devices “identified traces” of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. The Commission said the incident was contained within nine hours, and that no compromise of mobile devices was detected.
“The Commission takes seriously the security and resilience of its internal systems and data and will continue to monitor the situation,” it added. “It will take all necessary measures to ensure the security of its systems.”
Although the name of the vendor was specified and no details were shared on how the attackers managed to gain access, it’s suspected to be linked to malicious activity exploiting flaws in Ivanti EPMM.
Finland’s state information and communications technology provider, Valtori, also disclosed a breach that exposed work-related details of up to 50,000 government employees. The incident, identified on January 30, 2026, targeted a zero-day vulnerability in the mobile device management service.
The agency said it installed the corrective patch on January 29, 2026, the same day Ivanti released fixes for CVE-2026-1281 and CVE-2026-1340 (CVSS scores: 9.8), which could be exploited by an attacker to achieve unauthenticated remote code execution. Ivanti has revealed that the vulnerabilities have been exploited as zero-days.
The attacker is said to have gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details.
“Investigations have shown that the management system did not permanently delete removed data but only marked it as deleted,” it said “As a result, device and user data belonging to all organizations that have used the service during its lifecycle may have been compromised. In certain cases, a single mobile device may have multiple users.”
