The European Commission’s mobile device management platform was hacked but the incident was swiftly contained and no compromise of mobile devices was detected, EU’s executive branch announced on Friday.
The intrusion was detected on January 30, 2026, by CERT-EU, the cybersecurity team protecting all European Union institutions, bodies, and agencies.
“The Commission’s swift response ensured the incident was contained and the system cleaned within 9 hours,” the EC stated, and added that the ihe intrusion “may have resulted in access to staff names and mobile numbers of some of its staff members.”
The Commission did not name the affected mobile device management platform, but it’s widely speculated that it was Ivanti Endpoint Manager Mobile (EPMM), because the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) have recently suffered a data breach stemming from that platform’s compromise.
Arno Rutte, the State Secretary for Justice and Security, informed the Dutch Parliament on Friday that those institutions’ systems were recently hit by attackers.
“The National Cyber Security Centre (NCSC) was informed by the vendor on January 29th of vulnerabilities in EPMM. EPMM is used to manage mobile devices, apps, and content, including their security,” Rutte stated in a letter to the Parliament.
“Based on the information currently available, I can report that at least the AP and the Rvdr have been affected. It has now been revealed that work-related data of AP employees, such as name, business email address, and telephone number, has been accessed by unauthorized persons. Immediately after the incident was discovered, measures were taken. In addition, employees of the AP and the Rvdr have been notified. The AP has reported the incident to its data protection officer. The Rvdr has submitted a preliminary data breach notification to the AP.”
NCSC-NL advises: “Assume compromise”
Earlier this month, the Dutch National Cyber Security Centre (NCSC-NL) warned the public about active, widespread exploitation of CVE-2026-1281, an Ivanti EPMM code injection vulnerability that was publicly disclosed in late January 2026. At the time, Ivanti said that the vulnerabilities has been exploited in zero-day attacks and provided a temporary patch.
Last week, the company released security updates that fix CVE-2026-1281 and another code injection flaw (CVE-2026-1340), and on Friday it provided a tool (detection script) that can help customers find evidence of exploitation in their Ivanti EPMM environment.
NCSC-NL said that even Ivanti EPMM users who were quick to install the patch should assume that the system was compromised before that and should analyze their systems. Though, they noted, threat actors may have removed traces of compromise after the exploitation.
“Therefore, the advice is: Change all passwords for accounts present on the system. Renew the private keys in use on the system. Monitor internal traffic originating from the system for possible lateral movement,” the NCSC said.
Previously exploited Ivanti EPMM zero-days
“The Commission takes seriously the security and resilience of its internal systems and data and will continue to monitor the situation. It will take all necessary measures to ensure the security of its systems,” the EC noted.
The investigation into the incident is ongoing.
In May 2025, CERT-EU reported two Ivanti EPMM zero-days that were exploited in the wild.
Subsequent analyses and reports tied the attack activity to a suspected China-nexus threat actor that targeted organizations in the healthcare, telecommunications, aviation, municipal government, finance, and defense sectors across Europe, North America, and the Asia-Pacific region.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
