Ivanti’s Endpoint Manager Mobile Flaws Under Active Exploitation
David Meyer •
February 9, 2026
Image: Alexander Tolstykh/Shutterstock
The European Commission fell victim to a cyberattack that could have allowed the theft of some staff member names and mobile numbers.
See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
The European Union’s executive body said Friday it detected on Jan. 30 an attack on its “central infrastructure managing mobile devices.” Investigators had detected no actual compromise of user devices. “The incident was contained and the system cleaned within nine hours,” the Commission said.
Details are scarce, although announcement of the hack came one day after CERT-EU, the EU’s main cybersecurity service, housed within the commission – flagged a pair of critical code injection vulnerabilities in Ivanti’s Endpoint Manager Mobile product tracked as CVE-2026-1281 and CVE-2026-1340.
According to Ivanti, which rolled out scripting updates to fix the flaws, one of vulnerabilities led to the exploitation of “a very limited number of customers.” CERT-EU recommended “securing forensic evidence to detect any signs of exploitation.” Ivanti said a more permanent patch than scripts – which don’t survive a version upgrade – should be released before April.
Affected Ivanti customers appear to include the Dutch Data Protection Authority and Council for the Judiciary, which on Friday notified the country’s parliament that their employees’ names, business email addresses and phone numbers had been accessed by an unauthorized party.
The England National Health System late last month warned hospitals to be on guard against exploitation attempts, especially since the mobile endpoint manager is exposed to the internet by design. “Edge devices like EPMM are internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers,” it said (see: CISA Directs Federal Agencies to Update Edge Devices).
ISMG asked the commission whether its attack announcement and ENISA’s warning are connected, how many staffers’ details may have been accessed, and whether there is any attribution for the attack yet. No response had arrived as of publication.
Less than two weeks ago, ENISA’s executive director declared that Europe needed to invest far more in cybersecurity, at a time of ever-increasing attacks.
“We are not catching up,” Juhan Lepassaar told Politico. “We’re losing this game, and we’re losing massively.” The ENISA chief decried a 75% boost to the agency’s funding set to occur under proposed revisions to the EU Cybersecurity Act , arguing that “doubling the capacity is the absolute minimum.”
Cybersecurity expert Haya Schulmann also told ISMG days later that Europe needs to step up its active cyber defenses, in the wake of a potentially catastrophic, likely Russian, attack on the Polish energy grid.
The U.S. Cybersecurity and Infrastructure Agency added the Ivanti Endpoint Manager Mobile flaws to its catalog of Known Exploited Vulnerabilities. Ivanti products – including the mobile endpoint security manager – have experienced a raft of zero-day attacks over the past couple years including a 2023 incident in which hackers used Endpoint Manager Mobile flaws to breach a dozen Norwegian government ministries (see: Ivanti Says Second Zero-Day Used in Norway Government Breach).
Analysis by cybersecurity firm watchTowr found hackers could use the flaws pass malicious strings via the Bash scripting language by exploiting what’s known as an “arithmetic expansion” vulnerability.
With reporting by Information Security Media Group’s David Perera in Northern Virginia.