European and Dutch authorities have confirmed cyber intrusions linked to recently disclosed zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow attackers to remotely compromise mobile device management systems without authentication. Ivanti patched the vulnerabilities in late January, warning customers to assume exposed systems may already be compromised.
In a statement to parliament, the Dutch Data Protection Authority and the Judicial Council said they had been hacked, though it’s unclear when the incidents occurred. Dutch officials confirmed that work-related information, including names, business email addresses and phone numbers, was accessed, with investigations ongoing.
The European Commission separately disclosed a cyberattack on its central mobile device management infrastructure similar to the Dutch incident. While the Commission did not explicitly name Ivanti EPMM, it said the breach may have exposed staff names and mobile numbers. Officials said the incident was contained within nine hours and no mobile devices were compromised.
The US Cybersecurity and Infrastructure Security Agency added CVE-2026-1281 to its Known Exploited Vulnerabilities Catalog in January 2026, confirming active exploitation. Cyber agencies in Canada and Singapore have also warned that attackers are weaponising the bugs against unpatched systems.
Singapore’s cybersecurity authority said in a press release that it observed cyberattacks targeting the country’s critical infrastructure linked to UNC3886, believed to be a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions.
The agency said that all four of Singapore’s major telecommunications operators – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks. In one case, the threat actor used a zero-day exploit to to access the victim’s network and steal a small amount of network-related data, likely to further its operation.
In another instance, UNC3886 used advanced tools and techniques such as rootkits to maintain persistent access and stay hidden.
In the UK, NHS Digital said healthcare networks have detected related malicious activity, though no confirmed breach has been reported.