Ivanti Zero-Days Breached Four Governments Before Anyone Got a Patch

#Four governments breached. Same product. Same zero-days.

In January 2026, Ivanti disclosed two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. Both scored CVSS 9.8. Both allow unauthenticated remote code execution. Both were being exploited before Ivanti even knew about them.

The casualty list:

• The Dutch Data Protection Authority (the agency that enforces GDPR in the Netherlands)
• The Dutch Council for the Judiciary
• The European Commission
• Finland's state ICT provider Valtori (up to 50,000 government employees' data exposed)

The irony of a data protection authority getting breached through unpatched software is not something I'm going to let pass without comment. The agency responsible for enforcing data security regulations couldn't secure its own mobile device management platform.

But before anyone points fingers, ask yourself: if nation-state attackers targeted the mobile device management software your business runs, would you even know?

#What EPMM does and why it's a juicy target.

EPMM manages mobile devices across an organization. Phones, tablets, laptops. It pushes policies, manages apps, enforces security configurations, and controls access. If you've ever had your company phone configured by IT, there's a good chance something like EPMM was involved.

Compromising EPMM means:

• Access to every managed device's data including email, contacts, documents
• Ability to push malicious configurations to every managed device
• Credential access for every user enrolled in the platform
• Network pivot into the internal infrastructure the EPMM server sits on

Prior EPMM zero-days have been exploited by China-linked and Iran-linked threat actors. This isn't script kiddies. This is state-sponsored targeting of enterprise mobile management infrastructure.

#"We don't use Ivanti."

Maybe you don't. But your IT provider might. Your cloud vendor might. One of the 47 SaaS tools your team uses might manage its own infrastructure with Ivanti. The Vercel breach started at an AI tool company nobody had heard of. The trust chain extends further than you think.

And even if you don't use Ivanti specifically, the lesson applies to whatever MDM or endpoint management platform you do use. Microsoft Intune, Jamf, VMware Workspace ONE, ManageEngine. All of them are high-value targets. All of them have had vulnerabilities. All of them need patching, monitoring, and access restrictions.

#What to do.

If you use Ivanti EPMM:

1. Patch immediately. Multiple rounds of fixes have been released throughout 2026. Check your version against Ivanti's security advisories.

1. Restrict management interface access. The EPMM admin portal should not be internet-facing without VPN or IP restrictions. This applies to every management platform, not just Ivanti.

1. Audit enrolled devices for unexpected policy changes, new profiles, or unauthorized app installations. If the server was compromised, the attacker could have pushed malicious configurations to managed devices.

For everyone:

1. Know what manages your devices. What MDM platform does your organization use? Who manages it? When was it last patched? If you can't answer these questions, find out.

1. Treat management platforms as critical infrastructure. They have admin access to every device in your org. Secure them like you'd secure your domain controller.

#Further reading

• Rapid7: Ivanti EPMM Zero-Day Analysis - technical details
• BleepingComputer: Ivanti Zero-Day Attacks - ongoing exploitation
• CISA KEV Catalog - check for current Ivanti entries
• Ivanti Security Advisories - official vulnerability disclosures