Two healthcare organizations in the UK are said to be among the victims of a malicious campaign involving the exploitation of a vulnerability linked to cybersecurity hardware provider Ivanti.
According to Netherlands-based cybersecurity company EclecticIQ, threat actors have attempted to exploit a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).
Speaking to Infosecurity, a spokesperson for Ivanti responded to the Dutch company: "As a matter of policy, Ivanti does not comment on specific customers, and it is concerning that EclecticIQ would publicly name any potentially affected organization and speculate to media regarding unverified impact, as this may increase risk for that entity and obstruct any ongoing open investigation.
Two NHS Trusts Allegedly Breached
The campaign targeted a wide range of organizations across several countries, including Scandinavia, the UK, the US, Germany, Ireland, South Korea and Japan.
In the UK, two National Health Service (NHS) England trusts are among the targets and may have seen patient data exposed in the wild, according to EclecticIQ.
These are the University College London Hospitals NHS Foundation Trust and the University Hospital Southampton NHS Foundation Trust.
Cody Barrow, CEO of EclecticIQ, confirmed to Infosecurity that the evidence strongly indicates that systems linked to both trusts have been compromised as part of a targeted cyber-attack. "In both cases, there is evidence of real-time command execution originating from attacker-controlled infrastructure, including commands like arp -a and /etc/hosts enumeration. These activities are consistent with internal network reconnaissance, typically carried out by sophisticated threat actors following initial access," he added.
“While NHS England has denied that the Southampton Trust uses Ivanti, the presence of malicious activity on systems within NHS-owned networks suggests a genuine and active threat. This highlights possible gaps in visibility over NHS IT assets and raises concerns about how widespread the impact may be.”
Potential Critical Data Theft
Barrow also said that such an attack raises the "potential for unauthorized access to highly sensitive patient records,” including staff phone numbers, IMEI numbers and technical data like authentication tokens.
However, sources close to the matter told Infosecurity that there is currently no evidence to suggest patient data has been accessed.
Speaking to Infosecurity, NHS England said it is monitoring the situation and collaborating with the UK’s National Cyber Security Centre (NCSC).
“Health services are not currently affected, and patients should continue to use NHS services as normal,” an NHS England spokesperson also told Infosecurity.
“NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritize the most critical vulnerabilities and remediate them as soon as possible,” they added.
Chained Exploit of Ivanti Vulnerabilities
According to the Sky News report, the Ivanti vulnerability exploited in this campaign was first discovered on May 15 and has since been fixed.
This could be linked to two recent vulnerabilities in Ivanti EPMM that were reported to the manufacturer by the CERT-EU on May 13.
These two vulnerabilities, CVE-2025-4427 and CVE-2025-4428, with CVSS ratings of 5.3 and 7.2, respectively, were observed being exploited in the wild in a chained attack, as reported in a May 13 advisory by Ivanti.
When chained together, these vulnerabilities enable an attacker to bypass authentication using CVE-2025-4427 and subsequently exploit CVE-2025-4428 to achieve remote code execution, resulting in a critical impact.
Ivanti released a patch in its May 13 advisory. On May 15, security firm WatchTowr published a technical analysis and proof-of-concept exploit. "Consistent with responsible security management, Ivanti is working directly with our customers to ensure they have appropriately deployed the fix, as well as actively collaborating with reputable security partners to enable independent investigations by our customers," the Ivanti spokesperson told Infosecurity.
The EclectiqIQ analysts told Sky News they have identified the hackers exploiting the Ivanti backdoor as having used an IP address based in China.
Additionally, their modus operandi is similar to that of previous China-based actors, suggesting that the attack likely originates from a Chinese-sponsored threat actor.
A security advisory addressing the vulnerabilities was also published by NHS England on May 14.
A Public Security Charter for Healthcare Vendors
Emran Ali, Associate Director of Cyber Security at Bridewell, commented: “Healthcare organizations are custodians of highly sensitive patient data, and a successful attack can lead not just to data theft, but clinical risks from manipulated or inaccessible records. These incidents often exploit vulnerabilities in the software supply chain, making third-party security a critical weak point.”
“We have seen recently the NHS's call for technology vendors to sign a public security charter reflects a critical shift toward accountability in an increasingly complex digital supply chain,” he added.
“Addressing these challenges requires a holistic, continuous approach to vendor management, technical controls, and incident response – ensuring healthcare services can protect patient safety while meeting modern digital demands."
In a recent healthcare security report, Netskope Threat Labs found that 81% of all data policy violations were for regulated healthcare data protected under legislations like the EU’s and UK’s General Data Protection Regulation (GDPR).
This article was updated on May 29 to add Ivanti's response and additional comments from Cody Barrow.