Cyber Incident Victim: European Commission
Date:
Jan 2026
Location:
Belgium
Summary
The European Commission detected a breach of its mobile device management system that persisted for approximately nine hours, during which attackers accessed staff names and telephone numbers but did not compromise any mobile devices. The intrusion was traced to actively exploited zero‑day flaws in Ivanti’s Endpoint Manager Mobile product, a vulnerability also leveraged in simultaneous attacks on Finnish and Dutch government agencies. Containment and remediation were completed within the same day, and the organization confirmed that no further device compromise occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 29 2026 Ivanti disclosed two critical zero‑day vulnerabilities, CVE‑2026‑1281 and CVE‑2026‑1340, in its Endpoint Manager Mobile (EPMM) product and released a temporary patch. The following day, January 30, the European Commission’s central infrastructure team that manages mobile devices detected signs of a cyberattack against that system. The incident was immediately contained and the affected systems were cleaned within nine hours; no compromise of mobile devices was detected, but staff names and mobile numbers were potentially accessed. On the same day Finland’s public managed services provider Valtori suffered an analogous attack affecting around 50 000 individuals, with names, email addresses, phone numbers and other device details leaked. Both the Commission and Valtori publicly disclosed their incidents on February 5, though neither initially named EPMM as the cause; Valtori noted the breach occurred through a vulnerability in a “commercial mobile device management service” that had been disclosed on January 29, and Dark Reading later confirmed the Commission’s compromise involved EPMM.
On February 6 the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) reported their own breaches and explicitly identified Ivanti EPMM as the culprit. Following these disclosures, Shadowserver observed a heightened wave of attempted EPMM exploitation concentrated around February 9. Greynoise analysis indicated that approximately 83 % of this activity traced to a single IP address associated with a bulletproof hosting service, which remained active as of the publication date of February 12. The Commission’s CERT‑EU stated on February 9 that the attack had been discovered on January 30, involved mobile‑device‑management systems, was promptly contained and cleaned within nine hours, and that no mobile devices were compromised while acknowledging that hackers might have accessed personal information such as staff names and phone numbers. CERT‑EU added that a thorough review of the incident was underway to improve the Commission’s cybersecurity capabilities, noting that the effort was part of a broader EU initiative to strengthen resilience across all institutions, bodies and agencies, including a new Cybersecurity Package introduced on January 20.
The Commission’s statement emphasized that its swift response ensured containment and system cleaning within the nine‑hour window, and that it would review the security of its systems and take additional precautions if needed. Valtori’s disclosure similarly noted that the breach stemmed from the disclosed EPMM vulnerability and that names, email addresses, phone numbers and other device details were exposed. No evidence of direct mobile‑device compromise was reported for either the Commission or Valtori. The incidents contributed to a series of attacks against European government agencies exploiting the same Ivanti EPMM zero‑day flaws, prompting ongoing monitoring and review activities by the affected organizations.