Norwegian government Ivanti zero-day breach

On 24 July 2023, Norwegian authorities disclosed that attackers had exploited a zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM) — software used to manage mobile devices — to breach a shared ICT platform serving 12 Norwegian government ministries. It was one of the most significant intrusions into central government infrastructure in Norway's history and an early flashpoint in a wave of Ivanti exploitation that would batter governments worldwide.

What happened

The flaw, CVE-2023-35078, is an authentication-bypass vulnerability allowing remote, unauthenticated access to specific API paths in Ivanti EPMM (formerly MobileIron Core). It carries the maximum CVSS score of 10.0. An attacker reaching those paths could read personally identifiable information — names, phone numbers, device details — for managed users, and could create administrative accounts to deepen control of the system.

The compromised platform, operated by the Norwegian Government Security and Service Organisation (DSS), provided IT services to a dozen ministries. Authorities emphasized that the most sensitive bodies — the Prime Minister's Office, the Ministry of Defence, the Ministry of Justice, and the Ministry of Foreign Affairs — ran on separate infrastructure and were not affected.

Subsequent forensic analysis indicated the zero-day had been exploited against the Norwegian platform since at least April 2023, giving the attackers months of undetected access before the flaw was publicly known.

The second zero-day

On 2 August 2023, Ivanti confirmed that a second zero-day, CVE-2023-35081, had been chained with CVE-2023-35078 in the Norwegian attack. The combination let attackers bypass authentication and access-control restrictions, then write malicious files (such as web shells) to the appliance. Both flaws were added to CISA's Known Exploited Vulnerabilities catalog as opportunistic scanning and exploitation spread globally.

Impact

Communications networks at 12 ministries were affected, disrupting employees' access to mobile services and email.
Norway's national security authorities treated the breach as a serious compromise of government infrastructure and coordinated emergency patching across affected systems.
No public attribution to a specific nation-state was confirmed, though the targeting of central government and the months-long dwell time pointed to an advanced actor.

Why it matters

The Norwegian government breach was a defining example of the risk concentrated in security and device-management products: the very tools meant to protect and administer government fleets became the single point of catastrophic failure. It helped trigger global emergency directives on Ivanti products and reinforced a hard lesson — internet-facing management appliances must be patched on a zero-day footing, because a single authentication bypass can expose an entire government's mobile estate.

Timeline

April 1, 2023

Earliest observed exploitation of the Ivanti EPMM zero-day against the Norwegian government platform, per later forensic analysis.

July 24, 2023

Norwegian authorities disclose that a zero-day in Ivanti Endpoint Manager Mobile was used to breach a shared ICT platform serving 12 ministries.

July 24, 2023

Ivanti and CISA release details and a patch for CVE-2023-35078, an authentication-bypass flaw rated CVSS 10.0.

August 2, 2023

Ivanti confirms a second zero-day, CVE-2023-35081, was chained with CVE-2023-35078 in the Norwegian government attack.

August 1, 2023

CISA adds both vulnerabilities to its Known Exploited Vulnerabilities catalog amid widespread scanning and exploitation.

Sources

therecord.mediahttps://therecord.media/hackers-use-ivanti-zero-day-to-attack-norway-ministries

securityweek.comhttps://www.securityweek.com/ivanti-zero-day-vulnerability-exploited-in-attack-on-norwegian-government/

securityweek.comhttps://www.securityweek.com/ivanti-zero-day-exploited-by-apt-since-at-least-april-in-norwegian-government-attack/

helpnetsecurity.comhttps://www.helpnetsecurity.com/2023/07/25/cve-2023-35078/

unit42.paloaltonetworks.comhttps://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/

Related incidents

Vulnerability exploitResolvedAugust 8, 2023

UK Electoral Commission data breach

Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.

Victim: UK Electoral Commission
Records: 40.0M

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765

Vulnerability exploitResolvedMay 2, 2024

City of Helsinki Education Division breach

An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.

Victim: City of Helsinki (Education Division)
Records: 120.0K

Vulnerability exploitResolvedDecember 25, 2020

Reserve Bank of New Zealand Accellion FTA breach

Attackers exploited a zero-day in the legacy Accellion File Transfer Appliance to breach New Zealand's central bank, accessing commercially and personally sensitive files; the cleanup cost the Reserve Bank around NZ$3.5 million.

Victim: Reserve Bank of New Zealand (Te Pūtea Matua)
Loss: $2.4M