Cyber Incident Victim: Valtori

On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, designated CVE-2026-1281 and CVE-2026-1340, and released a temporary patch to address them. In the associated security advisory, Ivanti acknowledged that a very limited number of customers had experienced exploitation of these flaws at the time of disclosure. The Cybersecurity and Infrastructure Security Agency subsequently added CVE-2026-1281 to its Known Exploited Vulnerabilities list. On Jan. 30, the European Commission’s central infrastructure managing mobile devices was subjected to a cyberattack that persisted for nine hours. During that incident, staff names and mobile numbers were compromised, although no direct compromise of mobile devices was detected. Also on Jan. 30, Valtori, the public managed services provider for Finland’s government, suffered an attack of the same nature. The Valtori breach exposed personal data of approximately 50,000 individuals linked to the central government, including names, email addresses, phone numbers, and other device details. Both organizations publicly disclosed their incidents on Feb. 5. Neither disclosure explicitly named Ivanti EPMM as the cause, though Valtori referenced a breach via a vulnerability in a commercial mobile device management service that had been disclosed on Jan. 29. Dark Reading later confirmed that the European Commission’s compromise was indeed attributable to EPMM.

On Feb. 6, two Dutch government agencies—the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr)—acknowledged that they had also been breached and identified Ivanti EPMM as the responsible vector. In the days that followed, Shadowserver observed a renewed surge in attempted exploitation of EPMM around Feb. 9. Analysis by Greynoise indicated that none of the indicators of compromise published by Ivanti corresponded to this spike in activity. Greynoise further reported that approximately 83 % of the observed attempts could be traced to a single IP address hosted by a bulletproof hosting provider. As of the publication date of Feb. 12, that IP address remained active in general traffic. Earlier, on Jan. 20, the European Commission had unveiled a revised Cybersecurity Act that emphasized scrutiny of supply‑chain vendors and proposed measures to phase out reliance on dubious foreign sources. Ivanti supplied high‑fidelity indicators of compromise, technical analysis details, and an Exploitation Detection script developed in collaboration with the NCSC NL to assist customers in identifying potential post‑exploitation activity.

Ivanti made available a temporary patch for the EPMM vulnerabilities that requires no system downtime and can be applied in seconds. The company stated that applying the patch is the most effective means to prevent exploitation, regardless of how indicators of compromise evolve after a proof‑of‑concept becomes public. Ivanti continues to monitor the threat landscape and provides ongoing support to affected customers as part of its response to the EPMM zero‑day incidents.