Full Report
The Netherlands' Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country's parliament on Friday. "On January 29, the National Cyber Security Center (
Analysis Summary
# Incident Report: Exploitation of Ivanti EPMM Vulnerabilities at Dutch Agencies
## Executive Summary
The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) confirmed their systems were compromised through cyberattacks exploiting zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The incident led to unauthorized access to employee contact information, including names, business emails, and phone numbers. Response efforts involved immediate investigation based on vendor notification and patching, though the full scope of compromised data across the system's lifecycle remains a risk.
## Incident Details
- **Discovery Date:** January 29, 2026 (NCSC informed by EPMM supplier of vulnerabilities)
- **Incident Date:** Attack activity occurred leading up to or around January 30, 2026 (Finnish confirmation date suggests global awareness/exploitation).
- **Affected Organization:** Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr).
- **Sector:** Government/Judiciary and Data Protection Regulatory.
- **Geography:** The Netherlands.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but occurred before January 29, 2026.
- **Vector:** Exploitation of unpatched zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Specifically related to **CVE-2026-1281** and **CVE-2026-1340** (both RCE flaws).
- **Details:** Attackers leveraged flaws in the EPMM service used to manage mobile devices, apps, and content security.
### Lateral Movement
- *Details not provided in the source text.*
### Data Exfiltration/Impact
- **Date/Time:** Confirmed post-exploitation discovery.
- **Impact:** Unauthorized access to work-related data of AP employees, specifically names, business email addresses, and telephone numbers. Due to failure to permanently delete data (only marking it as deleted), data belonging to **all organizations** that used the service during its lifecycle may have been compromised.
### Detection & Response
- **Date/Time:** January 29, 2026.
- **Detection:** The National Cyber Security Center (NCSC) was informed by the Ivanti supplier about the vulnerabilities.
- **Response actions taken:** The implied response includes remediation efforts across affected Dutch agencies following vendor advisories regarding the newly released patches/fixes.
## Attack Methodology
- **Initial Access:** Exploitation of Ivanti EPMM zero-day vulnerabilities (**CVE-2026-1281** and **CVE-2026-1340**), likely resulting in **Unauthenticated Remote Code Execution (RCE)**.
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified, but RCE implies high-level access.*
- **Defense Evasion:** *Not specified.*
- **Credential Access:** *Not specified, but access to email addresses suggests potential credential exposure.*
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Not specified.*
- **Collection:** Accessing data stored in the MDM system, including user and device data.
- **Exfiltration:** Unauthorized access and likely exfiltration of contact details.
- **Impact:** Exposure of employee Personally Identifiable Information (PII)/work contact details.
## Impact Assessment
- **Financial:** *Not specified.*
- **Data Breach:** Exposure of names, business email addresses, and telephone numbers of AP employees. Potential wide-scale compromise across all historical users of the compromised EPMM service.
- **Operational:** *No immediate operational shutdown mentioned, but security posture significantly degraded.*
- **Reputational:** Public disclosure required via notice to parliament.
## Indicators of Compromise
- *No specific IOCs (IPs, hashes) are provided in the source material.*
- **Observed Vulnerabilities:** Ivanti EPMM exploitation targeting CVE-2026-1281 and CVE-2026-1340.
- **Behavioral Indicator:** System exhibiting characteristics of RCE or unauthorized data access via the Ivanti EPMM portal.
## Response Actions
- **Containment measures:** (Inferred) Applying corrective patches released by Ivanti on January 29, 2026.
- **Eradication steps:** (Inferred) Reviewing audit logs related to access between the patch date and system compromise. Handling of data marked as "deleted."
- **Recovery actions:** (Inferred) Notifying impacted parties (employees/stakeholders) and assessing the full data retention history of the compromised system.
## Lessons Learned
- **Key takeaways:** Critical reliance on third-party Mobile Device Management (MDM) solutions like Ivanti EPMM introduces significant supply-chain risk, especially concerning zero-day vulnerabilities.
- **What could have been done better:** Proactive vulnerability management and patching schedules need to rapidly respond to critical advisories (such as those concerning RCE flaws). A robust data disposal policy/practice is crucial, as lingering "deleted" data significantly widened the potential scope of compromise.
## Recommendations
- **Prevention measures for similar incidents:** Immediately inventory all instances of Ivanti EPMM or similar vulnerable MDM solutions. Prioritize patching against newly disclosed vulnerabilities (especially RCE) within hours of vendor release. Implement stronger data lifecycle management practices to ensure data marked for deletion is verifiably permanently erased.