Overview
- CERT-EU detected an intrusion on January 30 in the Commission’s central mobile device management environment, contained it within nine hours, and reported possible access to some staff names and phone numbers with no mobile devices compromised.
- The activity aligns with ongoing exploitation of Ivanti Endpoint Manager Mobile zero‑days CVE‑2026‑1281 and CVE‑2026‑1340 that allow unauthenticated remote code execution.
- The Dutch Data Protection Authority and the Council for the Judiciary confirmed related breaches that exposed employee contact details and notified affected personnel.
- Shadowserver identified artifacts on 86 compromised EPMM instances and noted nearly 1,300 internet‑exposed systems, while Rapid7 observed widespread exploitation attempts in honeypot traffic.
- NCSC‑NL advised organizations to assume compromise, change passwords, renew private keys, monitor for lateral movement, and run Ivanti’s detection script as Commission and CERT‑EU forensics continue.