In a sobering reminder of how quickly unpatched vulnerabilities can be weaponized, Dutch authorities have confirmed that several government institutions were compromised through newly disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM) software. The breaches resulted in the exposure of internal employee contact information and have prompted broader concern across European public sector networks.

On January 29, 2026, the Netherlands’ National Cyber Security Centre (NCSC-NL) was notified about critical vulnerabilities in Ivanti’s EPMM platform, a mobile device management system widely used to control smartphones and tablets in organizational environments. Shortly thereafter, hackers rapidly began exploiting these weaknesses — later tracked as CVE-2026-1281 and CVE-2026-1340 — to infiltrate exposed systems around the world.

Dutch officials disclosed to the Dutch parliament that at least two prominent institutions — the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the Council for the Judiciary (Raad voor de Rechtspraak) — were affected. In both cases, attackers gained access to work-related contact information, including names, business email addresses, and telephone numbers of employees. Authorities acted swiftly, alerted staff whose data was accessed, and began containment efforts.

Although attackers have not been publicly identified, the rapid pace of exploitation — occurring before many organizations could install patches — suggests a highly motivated threat actor or group was scanning for vulnerable EPMM installations and weaponizing the zero-days as soon as they became known. Efforts to understand the full scope are ongoing, with the NCSC and associated cybersecurity teams continuing to monitor systems and advise remediation steps.

In a related development, the European Commission acknowledged it too experienced unauthorized access to its central mobile device management infrastructure around January 30. While no mobile devices were compromised and the attack was contained within hours, preliminary indications suggest this incident may also be tied to the Ivanti EPMM flaws. The Commission has emphasized its commitment to tightening security and continues to review the breach with its cybersecurity teams.

The broader fallout from these vulnerabilities appears significant. Independent scanning efforts have identified dozens of compromised Ivanti EPMM instances worldwide, which is consistent with emerging patterns where newly disclosed critical bugs — especially those rated with a high severity score — are rapidly weaponized in automatic scanning and exploitation campaigns.

Security professionals warn that when device management platforms like EPMM are publicly accessible and unpatched, attackers can infiltrate deeply into organizations’ networks, potentially gaining the ability to push malicious configurations, deploy unauthorized applications, or harvest sensitive data. In response, emergency patching and full incident response procedures are being advised for all affected organizations.

Although these breaches did not appear to involve sensitive personal data beyond contact details, the incidents raise serious questions about the cybersecurity posture of government digital infrastructure — particularly when third-party systems are widely deployed and trusted for secure operations. Cybersecurity authorities continue investigating and expect further disclosures as forensic analysis progresses.