Two major Dutch government bodies have confirmed that their systems were compromised in cyber attacks exploiting critical vulnerabilities in Ivanti‘s mobile device management software. The Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) disclosed the incidents in a formal notice to the country’s parliament on Friday.
The attacks leveraged recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. The breaches resulted in the unauthorized access and exfiltration of internal employee contact data, including telephone numbers and email addresses.
Official Confirmation and Initial Discovery
According to the joint notification, the National Cyber Security Center (NCSC) first alerted the organizations to a potential breach on January 29. Subsequent forensic investigations confirmed that the attackers had successfully infiltrated the systems. The primary goal of the intrusion appears to have been espionage, with the stolen data consisting of internal contact information.
The agencies emphasized that the compromised systems were isolated from their primary operational networks. They stated that no sensitive personal data from citizens or case-related judicial information was accessed or stolen during the incident.
Background on the Ivanti Vulnerabilities
The cyber attacks exploited two critical zero-day vulnerabilities in Ivanti EPMM, tracked as CVE-2023-35078 and CVE-2023-35081. These security flaws were publicly disclosed by Ivanti in July 2023. A zero-day vulnerability refers to a software security weakness that is unknown to the vendor and for which no patch exists at the time of discovery, making it highly valuable to threat actors.
CVE-2023-35078 is an authentication bypass flaw that allows a remote attacker to access restricted resources or functionality. CVE-2023-35081 is a path traversal vulnerability that enables arbitrary file writing on the system. When chained together, these vulnerabilities grant an attacker the ability to execute malicious code on unpatched systems with high privileges.
Response and Mitigation Actions
Upon notification from the NCSC, both the AP and the Council for the Judiciary initiated immediate incident response protocols. The affected systems were taken offline and isolated to contain the breach. Digital forensics experts were engaged to determine the full scope of the intrusion and to identify the attackers’ methods.
The organizations have notified the Dutch Data Protection Authority, as required by the General Data Protection Regulation (GDPR), and have informed their employees whose contact information was exposed. They are also cooperating with ongoing law enforcement investigations into the attacks.
In their statement, the agencies confirmed they have applied all necessary security patches released by Ivanti to remediate the vulnerabilities. They are conducting a comprehensive security review of all connected systems to ensure no other persistent threats remain.
Broader Implications and Industry Context
This incident highlights the significant risk posed by unpatched enterprise software, particularly in government and critical infrastructure sectors. Ivanti’s EPMM is widely used by large organizations globally to manage and secure mobile devices, making it a high-value target for advanced persistent threat (APT) groups.
The disclosure follows a pattern of sophisticated cyber espionage campaigns targeting government entities across Europe. Security researchers have previously linked exploitation of these specific Ivanti flaws to state-sponsored hacking groups seeking intelligence gathering opportunities.
The Dutch NCSC has reiterated its previous warnings to all public and private sector organizations using Ivanti products to apply security updates immediately and to monitor their networks for signs of compromise. The center provides regular threat advisories on its website for affected entities.
Looking forward, both agencies stated that their investigation remains active. They expect to receive further technical details from the NCSC and forensic partners in the coming weeks. The Council for the Judiciary has committed to publishing a summary of the final investigation report, pending security clearance, to promote transparency and shared learning within the public sector. The focus is now on reinforcing defensive measures and ensuring all software assets are patched against known vulnerabilities to prevent future incidents.
Source: Joint notification to Dutch Parliament
