Belgium's State Security Service (VSSE), the country's civilian intelligence agency, has confirmed it was hit by a cyber incident in which attackers exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to access employee personal data. According to reporting by RTBF, the intrusion ran from May 2025 into the spring of 2026, exposing names, phone numbers, and email addresses of agency staff. Classified information reportedly remained out of reach, but the breach of contact and metadata belonging to an intelligence service raises serious operational security concerns.
What Happened
Attackers exploited known security flaws in Ivanti EPMM, a platform the VSSE uses to manage and secure mobile devices, including service phones and access-rights control. The compromise persisted over an extended window, from May 2025 through early 2026, and it is unknown how long attackers held access before the activity was detected.
An internal investigation determined that intruders reached employee data stored or managed through the platform. While sources close to the inquiry stress that the attackers did not penetrate the internal systems that process confidential and classified material, the exposure of personnel data within a national intelligence agency is significant on its own. The relevant Ivanti EPMM vulnerabilities have since been patched, and the VSSE has not issued a substantive public response.
What Was Taken
The confirmed exposure includes employee names, phone numbers, and email addresses. Data belonging to external contacts may also have been compromised. According to Ivanti, the exploited vulnerabilities additionally permitted the theft of device identifiers and GPS location data.
No classified or operationally sensitive case material is believed to have been accessed. However, the stolen dataset is far from harmless. Metadata such as phone numbers, email addresses, device identifiers, and location data can be correlated to map organizational structures, expose work relationships, and potentially identify individuals whose roles depend on anonymity.
Why It Matters
For an intelligence service, the value of stolen data is not measured solely by classification level. Contact metadata and location history are precisely the inputs a hostile service uses to build a picture of who works where, who talks to whom, and where personnel physically operate. Even without touching classified files, an adversary can derive substantial counterintelligence value.
This incident is also not isolated. The same Ivanti EPMM vulnerabilities have been tied to intrusions at the European Commission, the Dutch Judiciary, the Dutch Data Protection Authority, and the Dutch Correctional Services Agency. That pattern points to a broad campaign targeting organizations running Ivanti's mobile management platform. CISA had previously warned that attackers were actively exploiting these flaws to collect and exfiltrate data. Some security firms have linked the broader activity to UNC5221, a cyberespionage group believed to have ties to China, though no formal attribution has been made for the VSSE intrusion specifically.
The Attack Technique
The entry vector was exploitation of vulnerabilities in Ivanti EPMM, an internet-facing mobile device management system. Because EPMM sits at the boundary between an organization's network and its fleet of managed mobile devices, a successful exploit grants attackers a foothold rich in identity, device, and location data without requiring deeper network penetration.
The flaws had been under active exploitation for an extended period before patches and public warnings caught up. The long dwell time in the VSSE case, potentially many months, is consistent with espionage-motivated operators who prioritize stealth and persistent collection over disruptive action. Notably, this is not the first time Belgian intelligence has been targeted through a third-party security product: between 2021 and 2023, attackers exploited a Barracuda vulnerability that, per Belgian media, allowed interception of roughly 10 percent of the agency's email traffic via an external server. In that case too, classified data stayed protected while personal data was exposed. No link between the two incidents has been established.
What Organizations Should Do
- Patch Ivanti EPMM immediately and confirm coverage. Apply all vendor fixes for the exploited vulnerabilities and verify that no unpatched or shadow instances remain reachable.
- Hunt for prior compromise. Patching does not evict an attacker already inside. Review EPMM logs, authentication records, and outbound traffic for the May 2025 to spring 2026 window and beyond for signs of data exfiltration.
- Reduce internet exposure of management platforms. Place MDM and similar administrative consoles behind VPN or zero-trust access controls rather than exposing them directly to the internet.
- Treat metadata as sensitive. Inventory the personal and device data your MDM holds, including phone numbers, identifiers, and GPS data, and apply access controls and retention limits accordingly.
- Monitor CISA and vendor advisories for actively exploited flaws. Prioritize remediation of vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog.
- Prepare affected staff and contacts. Where personnel data is exposed, warn affected individuals of heightened phishing, smishing, and social-engineering risk targeting their personal and work accounts.
Sources: Belgian State Security hit by Ivanti data breach - Techzine Global