Full Report
Ivanti said it was aware “a very limited number of customers” had been attacked while two vulnerabilities were still unpatched.
Analysis Summary
# Incident Report: Exploitation of Ivanti EPMM Zero-Days by Multiple Actors
## Executive Summary
Multiple high-profile government entities, including the Netherlands and the European Commission, confirmed compromises stemming from the active exploitation of two critical, unpatched zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM). Attackers gained unauthorized access to mobile device management systems, resulting in the exposure of staff contact information. Response efforts have focused on immediate patching, log review, and system clean-up, although the full scope of exploitation remains under investigation across affected organizations.
## Incident Details
- **Discovery Date:** Late January 2026 (Implied, concurrent with Ivanti issuing patches and advisory)
- **Incident Date:** Occurred while vulnerabilities were unpatched (Prior to late January 2026)
- **Affected Organization:** Dutch Data Protection Authority, Judicial Council (Netherlands), European Commission (mobile infrastructure), "a very limited number of customers" globally.
- **Sector:** Government/Public Sector
- **Geography:** Europe (Netherlands, EU), global impact confirmed by alerts from CISA, Canada, and Singapore.
## Timeline of Events
### Initial Access
- **Date/Time:** Unspecified, prior to late January 2026 advisory.
- **Vector:** Exploitation of unpatched Ivanti EPMM zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340).
- **Details:** Attackers achieved remote code execution without needing credentials on internet-facing Ivanti EPMM systems.
### Lateral Movement
- **Date/Time:** Unspecified.
- **Details:** Once access was achieved via EPMM, unauthorized persons *viewed* work-related data (name, business email, phone number) on the Dutch systems. The European Commission noted swift containment within nine hours and found no compromise of *associated mobile devices*. Details on internal lateral movement after initial compromise are pending investigation by affected parties.
### Data Exfiltration/Impact
- **Date/Time:** Unspecified.
- **Details:** Unauthorized viewing/access to staff work-related data, including names, business email addresses, and telephone numbers, confirmed in the Netherlands. The European Commission confirmed potential access to staff names and mobile numbers.
### Detection & Response
- **Date/Time:** Late January 2026 onwards (following Ivanti advisory).
- **Details:** Detection occurred as agencies responded to the Ivanti vulnerability disclosure. The European Commission reported containing the incident and cleaning the system "within nine hours." National agencies (CISA, Canada, Singapore) issued alerts and added the flaw to CVE catalogs, signaling confirmed exploitation in the wild.
## Attack Methodology
- **Initial Access:** Remote Code Injection via Critical Ivanti EPMM Vulnerabilities (CVE-2026-1281, CVE-2026-1340). CVSS 9.8 severity.
- **Persistence:** Not detailed, but persistence mechanism on edge devices is implied or necessary to maintain access until cleanup.
- **Privilege Escalation:** Not detailed; the vulnerabilities likely granted high-level access immediately upon exploitation.
- **Defense Evasion:** Exploitation of unpatched zero-days inherently bypasses existing signature-based defenses.
- **Credential Access:** Not explicitly mentioned as successful credential theft, data accessed via direct system compromise.
- **Discovery:** Likely localized to the compromised EPMM infrastructure and accessible user/device directories.
- **Lateral Movement:** Limited visibility; focused on accessing data stored/managed by the EPMM system.
- **Collection:** Gathering of contact information (names, emails, phone numbers).
- **Exfiltration:** Not explicitly detailed as large-scale exfiltration, but data viewing/access occurred.
- **Impact:** Unauthorized access to sensitive configuration and/or user metadata managed by the mobile device platform.
## Impact Assessment
- **Financial:** Not detailed.
- **Data Breach:** Exposure/viewing of employee contact details (names, work emails, phone numbers) for at least two high-level Dutch bodies and some EU staff. Full scope under investigation.
- **Operational:** Minor operational disruption due to containment and cleanup efforts (e.g., EU cleanup within nine hours).
- **Reputational:** Significant exposure due to confirmed breaches involving major European government bodies shortly after vendor notification.
## Indicators of Compromise
*Note: Specific IoCs are not provided in the text and cannot be defanged.*
- **Network indicators:** Look for unusual outbound connections from Ivanti EPMM servers post-patch release.
- **File indicators:** N/A from the text.
- **Behavioral indicators:** Unauthenticated access attempts to EPMM endpoints; unexpected changes in mobile device configuration records.
## Response Actions
- **Containment:** Swift response by the European Commission ensured the incident was contained within nine hours. Urging all customers to patch immediately.
- **Eradication:** The European Commission confirmed the system was "cleaned." Remediation involves patching applied after vendor disclosure.
- **Recovery:** Affected organizations are reviewing logs for signs of exploitation and assessing the full extent of data viewing.
## Lessons Learned
- **Edge Device Risk:** Internet-facing edge devices like Ivanti EPMM are high-value, high-risk targets and will continue to be exploited rapidly as zero-days.
- **Rapid Exploitation Cycle:** Critical vulnerabilities are exploited quickly by attackers immediately following or concurrent with vendor discovery.
- **Product Vulnerability History:** This product family (Ivanti/mobile management platforms) has a history of similar security issues (citing 2023 Norway attacks), indicating recurring platform weaknesses.
## Recommendations
- **Prioritize Patching:** Immediately apply patches and mitigation steps for all Ivanti EPMM instances, treating any exposed system as potentially compromised.
- **Segment Edge Devices:** Increase monitoring and segmentation around all internet-facing mobile management infrastructure.
- **Proactive Hunting:** Conduct log reviews on managed systems for anomalous activity preceding the vendor advisory date to identify the true start of compromise.