{"id":4512,"date":"2026-02-14T16:37:49","date_gmt":"2026-02-14T16:37:49","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/02\/14\/european-governments-breached-in-zero-day-attacks-targeting-ivanti\/"},"modified":"2026-02-14T16:37:49","modified_gmt":"2026-02-14T16:37:49","slug":"european-governments-breached-in-zero-day-attacks-targeting-ivanti","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/14\/european-governments-breached-in-zero-day-attacks-targeting-ivanti\/","title":{"rendered":"European Governments Breached in Zero-Day Attacks Targeting Ivanti"},"content":{"rendered":"<div id=\"layout-813d83b9-daae-42e8-bbac-c6109ba0e8b3\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Several European government institutions appear to have been targeted in a coordinated campaign designed to steal data on\u00a0mobile users, it has emerged.<\/p>\n<p>First reported late last week, the incidents occurred at the European Commission, the Finnish government, and at least two Dutch government agencies. Tens of thousands of users may have had their personal details exposed.<\/p>\n<p>Only the Dutch authorities named the likely target \u2013 Ivanti Endpoint Manager Mobile (EPMM) \u2013 which has previously been compromised by likely Chinese state actors in attacks on the Norwegian government.<\/p>\n<p>However, the timing would suggest a link between all three breaches.<\/p>\n<p><em>Read more on Ivanti EPMM: Two Ivanti Zero-Days Actively Exploited in the Wild<\/em><\/p>\n<p>The European Commission released a brief statement on Friday February 6 explaining that its \u201ccentral infrastructure managing mobile devices\u201d had discovered signs of a breach on January 30. This \u201cmay have resulted in access to staff names and mobile numbers of some of its staff members,\u201d it added.<\/p>\n<p>\u201cThe commission&#8217;s swift response ensured the incident was contained and the system cleaned within nine hours,\u201d the statement continued. \u201cNo compromise of mobile devices was detected.\u201d<\/p>\n<p>Also on February 6, the Dutch justice and security secretary explained in an official letter to parliament that the Council for the Judiciary (Rvdr) and the Dutch Data Protection Authority (AP) had been caught in a similar breach.<\/p>\n<p>It claimed that the country\u2019s National Cyber Security Centre was told by Ivanti on January 29 about vulnerabilities in EPMM.<\/p>\n<p>\u201cIt has now been revealed that work-related data of AP employees, such as name, business email address, and telephone number, has been accessed by unauthorized persons,\u201d the letter continued.<\/p>\n<p>\u201cImmediately after the incident was discovered, measures were taken. In addition, employees of the AP and the Rvdr have been notified.\u201d<\/p>\n<p>Finally, an update from Finnish government ICT centre Valtori on February 6 explained that it discovered a breach on January 30 affecting the \u201cmobile device management service\u201d it provides to agencies.<\/p>\n<p>\u201cThe attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details,\u201d it explained. \u201cA user\u2019s precise location cannot be determined based on this data. According to current information, no data stored directly on the mobile devices themselves has been compromised.\u201d<\/p>\n<p>Valtori claimed that as many as 50,000 government workers may have had their details exposed in this way \u2013 nearly two-thirds of the total number of central government employees in the country.<\/p>\n<h2><strong>Ivanti Zero Days Cause Havoc Again<\/strong><\/h2>\n<p>Ivanti released patches for two critical (CVSS 9.8) zero-day bugs in EPMM on January 29, noting: \u201cWe are aware of\u00a0a\u00a0very\u00a0limited\u00a0number of\u00a0customers\u00a0whose solution\u00a0has\u00a0been\u00a0exploited\u00a0at the time of disclosure.\u201d<\/p>\n<p>CVE-2026-1281 and CVE-2026-1340 are described as code injection flaws which could allow attackers to achieve unauthenticated remote code execution.<\/p>\n<p>Ross Filipek, CISO at Corsica Technologies, warned that the threat actors may use the information they compromised to launch follow-on spearphishing attacks, in order to gain deeper access into internal systems.<\/p>\n<p>\u201cSocial engineering campaigns targeting government officials have grown in popularity over the last several months,\u201d he added. \u201cUK parliamentarians were subject to Russian spear phishing attacks this past December which aimed to establish stealthy continuous monitoring of government activity.\u201d<\/p>\n<p>Keeper Security CISO, Shane Barney, said that attacks on device management systems can carry \u201cdisproportionate risk,\u201d even when the initial impact appears limited.<\/p>\n<p>\u201cThe fact that these flaws can be exploited without authentication changes how organizations should respond. Patching addresses the vulnerability, but it does not restore trust,\u201d he continued.<\/p>\n<p>\u201cOnce a privileged control plane is exposed, organizations need to reassess credentials, keys and administrative permissions that depend on it. The objective is not just to remove the flaw, but to reestablish confidence in how access is granted and exercised.\u201d<\/p>\n<p>Cequence Security CISO, Randolph Barr, warned that if a threat actor were able to access an EPMM server, they could push malicious configuration changes, alter authentication settings or manipulate device certificates.\u00a0<\/p>\n<p>\u201cThe other important point is that EPMM is typically deployed on-prem or in customer-managed private cloud environments,\u201d he added. \u201cThat actually gives security teams more control than many SaaS platforms. With the right architecture and access controls, organizations can materially reduce their exposure and limit blast radius.&#8221;<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Several European government institutions appear to have been targeted in a coordinated campaign designed to steal data on\u00a0mobile users, it has emerged. First reported late last week, the incidents occurred at the European Commission, the Finnish government, and at least two Dutch government agencies. Tens of thousands of users may have had their personal details<\/p>\n","protected":false},"author":2,"featured_media":4513,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4512","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4512-934b232a-fe5e-41f7-8ae0-4e4b45b5c32c-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4512"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4512\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4513"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}