UPDATE
A handful of European government agencies have been compromised by hackers in recent weeks, thanks to a new round of critical vulnerabilities in an Ivanti product — and it’s another grim reminder of the heyday attackers have been having with edge devices.
Attacks against edge devices have been steadily ramping up for nearly three years, tripping up multiple vendors in the process: Fortinet has endured a number attacks against its products; SonicWall’s edge devices contended with zero-days; and WatchGuard’s firewall was hit more recently with a zero-day. The highly distributed nature of edge networking has historically meant less monitoring, and like any good opportunist, attackers will exploit that sort of vulnerability when they see it.
On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, and released a temporary patch to cover them. Deemed CVE-2026-1281 and CVE-2026-1340, the issues were similar in nature, both allowing for remote code execution (RCE), both assigned 9.8 out of 10 scores on the Common Vulnerability Scoring System (CVSS) scale. In a security advisory, the company admitted to “a very limited number of customers whose solution has been exploited at the time of disclosure,” and the Cybersecurity and Infrastructure Security Agency (CISA) then added CVE-2026-1281 to its running list of Known Exploited Vulnerabilities (KEV).
Perhaps the public warning lit a fire under the threat actors who’d discovered CVE-2026-1281 and CVE-2026-1340 before Ivanti did. The next day, cyberattacks tied to EPMM struck the European Union’s European Commission, as well as agencies of the Dutch and Finnish governments.
That same day, researchers at watchTowr publicly described a proof-of-concept (PoC) exploit. Ever since, more attackers have been getting in on the fun, though a large chunk of those attacks have come from one unidentified source in particular, according to data from Greynoise.
Ivanti Bugs Spark Fresh Wave of Cyberattacks
On Jan. 20, the European Commission unveiled a revised Cybersecurity Act. In part, it highlighted the risk of relying on supply chain vendors from dubious foreign countries, and proposed ways to identify and phase them out. Sensible as that might be, Europe might be better served applying equal scrutiny to trusted vendors at home, because they often allow foreign attackers the same degree of access to sensitive systems.
Consider, for instance, a perfectly legitimate company like Ivanti. Over and over again, foreign attackers find and exploit critical zero-day vulnerabilities in Ivanti products. Yet those products are still widely deployed across high-level organizations, as recent days have shown.
On Jan. 30, the European Commission fell victim to a cyberattack against its “central infrastructure managing mobile devices.” The attack lasted nine hours, and staff names and mobile numbers were compromised, though no direct mobile device compromises were detected.
That same day, Valtori — the public managed services provider for Finland’s government — fell victim to an attack of the same exact nature. In this case, the attack affected around 50,000 individuals associated with the central government. Names, email addresses, phone numbers, and other device details were leaked.
Both Valtori and the European Commission disclosed their incidents on Feb. 5. Neither publicly named EPMM as the culprit. However, Valtori noted that it was breached through a vulnerability in a “commercial mobile device management service,” which just so happened to have been publicly disclosed on Jan. 29. And in reporting this story, Dark Reading confirmed that the European Commission was, indeed, compromised through EPMM.
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous wave of attempted attacks against Ivanti EPMM, concentrated around Feb. 9. Researchers at Greynoise found that none of the indicators of compromise (IoCs) published by Ivanti itself actually aligned with this spike in exploitation, tracing 83% of it to a single IP address from a bulletproof hosting service instead. Greynoise informed Dark Reading that as of the time of publication, Feb. 12, that IP address was “still active in general.”
What to Do About Ivanti Cyber Risk
In theory, at least, powerful perimeter technologies can be secured against most attackers.
“One shift organizations should consider is moving beyond ‘patch and pray’ to designing perimeter infrastructure with the assumption of eventual compromise as a proactive security measure,” Douglas McKee, director of vulnerability intelligence at Rapid7, suggests. In his view, “That starts with minimizing exposure by eliminating unnecessary public interfaces, enforcing pre-authentication access controls, and aggressively restricting management-plane reachability rather than simply hardening what is already exposed. It also means treating perimeter and management systems as high-value assets by instrumenting them with deep telemetry, behavioral monitoring, and strict egress controls. That way, exploitation is detected quickly and cannot pivot freely into the internal network.”
McKee urges organizations to view their perimeter management as Tier-0 critical infrastructure — as vulnerable and as sensitive as any other systems they have. “When hardened and monitored properly, centralized control remains operationally necessary; however, it must be architected with the assumption that it will be targeted,” he says.
In practice, organizations appear to be either unable or unwilling to do all that, as evidenced by how often even capable, well-resourced, and highly sensitive organizations fall victim to Ivanti attackers. Which raises the question: If your parachute reliably failed once every few months or so, you probably wouldn’t go skydiving with it, so why do high-level organizations continue to rely on Ivanti?
Part of the reason, says Benjamin Harris, CEO of watchTowr, is that “Ripping out tech like Ivanti isn’t as easy as it sounds. They are deeply embedded across their 40,000 enterprise client base, providing remote access, mobile device management, patching, endpoint management, and other solutions. That kind of footprint in enterprise environments is a hard, slow process to unwind.”
“While this is, of course, a sorry state of affairs that we find ourselves in, the reality is: Which of their competitors has a better track record? The bar remains disappointingly low,” he says, adding, sardonically, “but thank goodness they all signed a pledge.”
An Ivanti spokesperson provided the following statement to Dark Reading:
“Ivanti’s recommendation remains the same: customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching. Applying the patch is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available. The patch requires no downtime and takes only seconds to apply. Ivanti has provided customers with high fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC NL, and continues to support customers as we respond to this threat.”
This story was updated at 8:30 a.m. ET on Feb. 13 to reflect a statement from Ivanti, the names of two Dutch government agencies, and confirmation that Ivanti EPMM was the target in the attacks against the European Commission.
