Breaches

European Commission Mobile Infrastructure Breached Through Ivanti EPMM Vulnerabilities

Zero Day Wire

09 Feb 2026 — 2 min read

The European Commission has confirmed that attackers compromised its central mobile device management systems on January 30, potentially accessing the names and phone numbers of staff members.

The intrusion targeted the infrastructure used to manage employee mobile phones and tablets. CERT-EU detected suspicious activity and contained the breach within nine hours, with the Commission stating that no compromise of individual mobile devices was detected.

Ivanti EPMM Flaws Exploited

Although the Commission did not name the software vendor, the timing aligns directly with Ivanti's January 29 disclosure of two critical vulnerabilities in Endpoint Manager Mobile (EPMM).

CVE-2026-1281 and CVE-2026-1340 are both code injection flaws that allow unauthenticated remote code execution against affected EPMM servers. CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog the same day, with a remediation deadline of February 1.

The attack occurred just one day after Ivanti published its advisory — underscoring how rapidly threat actors are weaponizing newly disclosed vulnerabilities against high-value targets.

Patching Complications

Ivanti has issued interim security patches but has not yet released a comprehensive fix, with a full update expected in the coming months. Security researchers have noted several concerns with the current remediation approach.

The interim patches revert when updating to different EPMM versions, and different patches are required for different software versions. This fragmented approach leaves organizations at elevated risk, particularly those managing complex multi-version deployments.

Ivanti has also released an RPM-based detection tool to help organizations identify signs of compromise related to these specific flaws.

Wider Impact

The European Commission was not the only government body affected. Finland's Valtori agency reported a breach potentially impacting up to 50,000 users, while the Dutch Data Protection Authority also confirmed it was compromised through the same Ivanti vulnerabilities. Shadowserver identified dozens of additional servers worldwide likely affected by the same campaign.

The highly targeted nature of the attacks — focusing on government institutions and regulatory bodies — suggests the threat actors may be operating with political or espionage objectives.

Recommendation

Organizations running Ivanti EPMM should apply available patches immediately, run Ivanti's detection tool to check for signs of compromise, and restrict network access to EPMM management interfaces. Given the fragmented patch situation, defenders should monitor Ivanti's advisories closely for the comprehensive fix and be prepared to re-apply patches after any version updates.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors