Which NHS trusts were affected by the cyber attack?

Two major NHS trusts fell victim to a cyber attack: University College London Hospitals NHS Foundation Trust (UCLH) and University Hospital Southampton NHS Foundation Trust. Both were compromised through the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM) software used to manage staff mobile devices and tablets.

What software vulnerability was exploited in the NHS trusts attack?

The attack exploited critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, which is used to manage staff mobile devices and tablets. The attackers targeted the vulnerable /mifs/rs/api/v2/ endpoint using malicious HTTP GET requests containing Java-based commands.

What types of data were exposed in the NHS trusts attack?

The exposed data included staff mobile phone numbers, IMEI numbers (unique device identifiers for mobile network identification), and technical authentication tokens and device management data. UCLH confirmed that the compromised systems contained limited staff-related information.

Was patient data compromised in the NHS trusts cyber attack?

No, UCLH confirmed that no patient data or staff passwords were accessed in the attack. The compromise was limited to staff mobile device management information and did not extend to patient records or authentication credentials.

Who discovered and reported the NHS trusts cyber attack?

Security researchers at EclecticIQ identified the attack as part of their research into a broader global campaign. They were able to link the NHS attacks to the larger pattern of exploitation targeting Ivanti EPMM vulnerabilities across multiple sectors and geographic regions.

Incident

Two NHS trusts affected by cyber attack on Ivanti Mobile Management

Q: Is this NHS attack part of a larger campaign?

Yes, this attack was identified as part of a broader global campaign targeting organizations across healthcare, telecommunications, aviation, municipal government, finance, and defense sectors in Europe, North America, and the Asia-Pacific region.

Q: What are the NHS trusts doing in response to the cyber attack?

Both organizations are conducting thorough investigations to determine the full scope of the incident and identify all potentially impacted staff members. UCLH has stated they are directly contacting affected staff members whose mobile device information was compromised.

published: May 29, 2025

Take action: One more reason to URGENTLY patch your Ivanti Endpoint Manager Mobile on premises.

Learn More

Two major NHS trusts have fallen victim to a cyber attack that exploited critical vulnerabilities in mobile device management software. University College London Hospitals NHS Foundation Trust (UCLH) and University Hospital Southampton NHS Foundation Trust were compromised through the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM) software used to manage staff mobile devices and tablets.

Security researchers at EclecticIQ identified the attack as part of a broader global campaign targeting organizations across healthcare, telecommunications, aviation, municipal government, finance, and defense sectors in Europe, North America, and the Asia-Pacific region. The attackers operated using infrastructure based in China, with their tactics, techniques, and procedures (TTPs) consistent with known China-nexus espionage groups that have previously targeted edge network appliances and enterprise software vulnerabilities.

The attack methodology involved targeting the vulnerable /mifs/rs/api/v2/ endpoint where threat actors used malicious HTTP GET requests containing Java-based commands embedded in the ?format= parameter. This exploitation technique enabled attackers to bypass authentication mechanisms and execute arbitrary code on compromised systems, potentially providing pathways for lateral movement throughout affected networks.

UCLH confirmed that the compromised systems contained limited staff-related information but emphasized that no patient data or staff passwords were accessed. The exposed data included:

Staff mobile phone numbers
IMEI numbers (unique device identifiers for mobile network identification)
Technical authentication tokens and device management data

The number of affected individuals has not been disclosed by either NHS trust or NHS England. Both organizations have confirmed they are conducting thorough investigations to determine the full scope of the incident and identify all potentially impacted staff members. UCLH has stated they are directly contacting affected staff members whose mobile device information was compromised.

Two NHS trusts affected by cyber attack on Ivanti Mobile Management

Read More
Pennsylvania Attorney General's Office hit by cybersecurity incident, …
Lyon Management Group, Inc. (Lyon Living) reports data …
San Francisco Campus for Jewish Living (Hebrew Home …
ALN Medical Management (Health Prime International) reports data …
Mackay Memorial Hospital in Taiwan reports data breach …