Cyber Incident Victim: University Hospital Southampton NHS Foundation Trust
Date:
May 2025
Location:
United Kingdom
Summary
Two NHS trusts, including University Hospital Southampton NHS Foundation Trust, were compromised after attackers exploited a critical vulnerability in Ivanti Endpoint Manager Mobile software. The flaw allowed remote code execution, enabling hackers to exfiltrate staff phone numbers, device IMEI numbers, authentication tokens and other technical data, and potentially move laterally to access patient records and operational systems. The activity was traced to an IP address located in China and bears similarities to known China‑based threat actors, although official attribution remains unconfirmed. The National Cyber Security Centre is collaborating with NHS England to assess the impact and Ivanti has released a patch for the vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 15 May 2025 a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) was discovered and subsequently exploited by hackers who gained access to the networks of University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust. The attackers used the flaw to conduct remote code execution, allowing them to obtain staff phone numbers, device IMEI numbers, authentication tokens and other technical data from the trusts' mobile device management systems. Through this access the hackers performed clandestine data exfiltration, raising concerns that patient records, staff details and operational systems may have been compromised without detection. EclecticIQ analysts identified the breach, traced the malicious activity to an IP address located in China and noted that the attackers' behaviour resembled that of known China‑based threat actors, although attribution remains officially unconfirmed.
Experts warned that the potential compromise scope extends beyond data theft to include unauthorised access to highly sensitive patient records, disruption of crucial appointment systems and possible interference with critical medical devices used for daily patient care. The nature of the attack, as analysed by EclecticIQ, suggests the hackers likely discovered the vulnerability through automated internet scans rather than by deliberately targeting the NHS, but once identified the scale and sensitivity of the trusts' systems presented a high‑value opportunity. The incident has prompted renewed debate over the NHS's cybersecurity preparedness amid growing threats, with commentators noting that similar past attacks have forced the cancellation of surgeries and delayed critical treatments. Cody Barrow, CEO of EclecticIQ, stated that such attacks strike at the heart of patient safety and care delivery and that the response must be treated with the same urgency as a medical emergency.
The National Cyber Security Centre is working alongside NHS England to assess the damage and prevent further exposure, while NHS England has confirmed that 24/7 cyber monitoring and an emergency alert system are in place to help trusts prioritise and remediate critical vulnerabilities. An NHS England spokesperson said the organisation is currently investigating the potential incident with cybersecurity partners, including the NCSC, and the trusts mentioned. Ivanti acknowledged the issue and confirmed that a fix for the vulnerability in Endpoint Manager Mobile has been released. An NCSC spokesperson added that they are working to fully understand the UK impact following reports that critical vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited.