European Commission’s mobile management "infrastructure" hacked - EPMM the culprit?

The European Commission  (EC) said the “central infrastructure” it uses to manage mobile devices was compromised in a cybersecurity incident.

The EC said on February 6 that it “identified traces of a cyber-attack” on the infrastructure/software on January 30, which “may have resulted in access to staff names and mobile numbers of some of its staff...”

Without naming the affected “infrastructure” an EC spokesperson added that “the incident will be thoroughly reviewed and will inform the Commission's ongoing efforts to enhance its cybersecurity capabilities…”

Was it hit through an Ivanti EPMM 0day?

The Commission discovered the incident one day after Ivanti pushed an advisory for two critical vulnerabilities in its Ivanti Endpoint Manager Mobile (EPMM products); one, CVE-2026-1281, exploited as an 0day. 

(The Stack could not immediately confirm if the EC was an EPMM user and affected by exploitation of this vulnerability. We have contacted the Commission for a simple confirm/deny and will update this article.)

The Netherland's NCSC_NL was instrumental however in responding to exploitation and supporting Ivanti with IOCs. The vendor updated its advisory on Friday with a detection script and log analysis guidance.

The Dutch NCSC said on February 6:

"It has now become clear that this abuse has taken place much more broadly than previously known. Users of Ivanti EPMM should assume that the system had already been compromised prior to installing the patch. Patching does not fix this prior compromise. We recommend following an ‘assume breach’ scenario."

It called on all EPMM users to:

• Change all passwords for accounts present on the system.
• Renew the private keys in use on the system.
• Monitor internal traffic originating from the system to check for possible lateral movement.

The EC said no compromise of mobile devices themselves was detected.

It wrote: “The Commission takes seriously the security and resilience of its internal systems and data and will continue to monitor the situation. It will take all necessary measures to ensure the security of its systems.”

CERT-EU responded to 2025 EPMM abuse

Europe's incident response organisation, CERT-EU, in 2025 detected exploitation of another pair of EPMM vulnerabilities (CVE-2025-4427 and CVE-2025-4428). CERT-EU supports European institutions and its early involvement during last year's EPMM exploitation suggests that the bugs may have been used to exploit organisations it works closely with.

CERT-EU confirmed that it had “worked on the vulnerability detected in the Ivanti EPMM ” an EU Commission spokesperson said on May 5, 2025.

"We are losing massively"

The incident comes after the executive director of the EU's Agency for Cybersecurity (ENISA) said Europe is failing on cybersecurity. (ENISA focuses on policy and capacity building; CERT-EU on direct response.)

“We are losing this game,” Juhan Lepassaar told Politico. “We are not catching up, we're losing this game, and we're losing massively.”

Join peers following The Stack on LinkedIn

On February 4, ENISA’s Associate Chief Cybersecurity and Operational Officer, Florian Pennings said that the agency’s “EU-level risk assessment shows a substantial cyber threat level. We’re seeing threat actors actively exploiting discovered vulnerabilities targeting EU entities.”

He called for a greater focus on “strengthening the shared situational awareness, setting up the EU’s vulnerability management infrastructure and services and enhancing the security of technologies and products…”

Europe's puny cybersecurity budgets

Last month the Commission proposed a new cybersecurity package that would include a 75% increase in ENISA's funding. The agency’s entire 2024 budget was a paltry €26.2 million ($30.9 million.) CERT-EU’s 2024 budget meanwhile was even less; just €12 million in 2024.

On 26 August, 2025, the EC tasked ENISA with running the new EU Cybersecurity Reserve, with €36 million in funding for three years to “to enhance response and reporting for cyber threats and incidents.”

To contextualise that budget, it cost High Street retailer Marks and Spencer triple that sum (£83 million/€95 million) in “technical incident response and recovery” costs to respond to one ransomware attack.