Dutch Privacy Regulator Breached in Widespread Ivanti Zero-Day Attacks

Introduction

The Dutch Data Protection Authority (AP) — the very organization responsible for enforcing data privacy laws — has disclosed it fell victim to zero-day attacks exploiting critical vulnerabilities in Ivanti's mobile management software. The breach, which also affected the Council for the Judiciary and the European Commission, underscores how even cybersecurity watchdogs are vulnerable to sophisticated threats.

What Happened?

The attackers exploited two critical code injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) — tracked as CVE-2026-1281 and CVE-2026-1340 — both carrying a maximum severity CVSS score of 9.8. These flaws allowed unauthenticated attackers to execute remote code on unpatched systems.

Dutch Justice Secretary Arno Rutte confirmed in a letter to parliament that the attack compromised work-related data of employees at both the Dutch Data Protection Authority and the Council for the Judiciary, including names, business email addresses, and phone numbers. The European Commission also disclosed a similar breach of its mobile device management infrastructure, which was contained within nine hours, though staff names and mobile numbers may have been accessed.

Ivanti issued patches on January 29, the same day the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog. However, the attacks occurred while the vulnerabilities were still unknown to the vendor, making them true zero-day exploits.

What's the Impact?

The breach carries significant implications beyond the immediate data exposure. Researchers from Shadowserver Foundation report that nearly 1,300 Ivanti EPMM instances remain exposed to the internet globally, with multiple threat actors now actively exploiting these vulnerabilities. The organization warns that many systems may already be compromised by multiple attackers.

The Netherlands' National Cyber Security Centre (NCSC-NL) has issued stark guidance: organizations using EPMM should assume their systems were compromised before patches were applied, even if they acted quickly. Security researchers note that threat actors may have removed traces of compromise after exploitation, making detection challenging.

The incident is particularly damaging for the Dutch Data Protection Authority, which now faces the uncomfortable position of investigating its own data breach — a responsibility that has fallen to its data protection officer while regular staff investigate the breach at the Council for the Judiciary.

How to Avoid This

Organizations using Ivanti EPMM must take immediate action. First, apply the latest security updates for CVE-2026-1281 and CVE-2026-1340 immediately if not already done. However, patching alone is insufficient.

Security experts emphasize that organizations with internet-facing EPMM instances should assume compromise and initiate full incident response procedures. This includes using Ivanti's newly released detection script to hunt for indicators of compromise, analyzing system logs for suspicious activity, and securing forensic evidence.

The UK's National Health Service warned that edge devices like EPMM are internet-facing by design, making them attractive targets. Organizations should implement defense-in-depth strategies, including network segmentation, enhanced monitoring of critical systems, and regular security audits.

Finally, organizations must develop rapid patch deployment capabilities and incident response plans. The window between vulnerability disclosure and mass exploitation has collapsed to hours, not days. Being prepared to respond immediately to zero-day disclosures is no longer optional — it's essential for survival.