ACCORDING to The Dutch Data Protection Authority (AP) and the Council for the Judiciary, their systems were impacted by cyber attacks that exploited recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM). On January 29, the National Cyber Security Center (NCSC) was informed by the supplier about these vulnerabilities, which Ivanti has since fixed in the disclosed patches for CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8).
The attackers are alleged to have accessed work-related data of AP employees, including names, business email addresses, and telephone numbers, as part of exploiting EPMM. The European Commission also said its central infrastructure identified traces of a cyber attack that may have allowed access to names and mobile numbers of some staff, with the incident contained within nine hours.
Finland’s Valtori disclosed a breach exposing up to 50,000 government employees’ details due to a zero-day vulnerability in a mobile device management service. Investigations found that the management system did not permanently delete removed data but only marked it as deleted, potentially leaving device and user data from organisations that used the service exposed.