A letter to the Dutch parliament said attackers exploited Ivanti Endpoint Manager Mobile vulnerabilities on 29 January, causing a data breach that affected employees of the Dutch Data Protection Authority and the Council for the Judiciary.
KEY FACTS
- Incident Exploitation of Ivanti EPMM vulnerabilities on 29 January
- Affected Employees of the Dutch Data Protection Authority and the Council for the Judiciary
- Data Names, business email addresses and phone numbers may have been accessed
- Vulnerabilities CVE-2026-1281 and CVE-2026-1340
- Notification All affected individuals were informed directly
The attack occurred on 29 January. Employees at both agencies were affected. Personal data that may have been accessed includes names, business email addresses and phone numbers.
The exploited bugs are identified as CVE-2026-1281 and CVE-2026-1340. Monitoring of the Ivanti vulnerabilities is under way at the national cybersecurity agency and the office of the chief information officer is assessing whether there is a broader risk to central government systems.
Patches from Ivanti are available. Edge devices such as EPMM are internet-facing by design and can be rapidly exploited as zero-day vulnerabilities. Organizations exposing vulnerable instances to the internet are advised to treat them as compromised and initiate incident response and remediation.
WHY IT MATTERS
Rapid exploitation of edge device vulnerabilities can expose staff personal data and force wide incident response across government. The case underlines the operational risk of internet-facing management systems and the need for prompt patching and containment.