Ivanti Vulnerability Exploit May Compromise Data Security of UK NHS

Two healthcare organizations in the UK have reportedly fallen victim to a malicious campaign exploiting a vulnerability related to cybersecurity hardware provider Ivanti.

According to a Netherlands-based cybersecurity firm, threat actors have targeted Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities. This campaign has affected numerous organizations across several countries, including the UK, US, Germany, Ireland, South Korea, and Japan.

In the UK, two National Health Service (NHS) trusts—University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust—are among the targeted entities. Evidence suggests that patient data may have been compromised, as indicated by reports.

Cody Barrow, CEO of the cybersecurity firm, highlighted the potential for unauthorized access to sensitive patient information, including staff phone numbers and technical data such as authentication tokens. However, sources indicate that there is no confirmed evidence of actual patient data access at this time.

NHS England is actively monitoring the incident and coordinating with the UK’s National Cyber Security Centre (NCSC). An NHS England spokesperson assured that health services remain unaffected and encouraged patients to continue using NHS facilities as usual. The organization stated that it employs 24/7 cyber monitoring and incident response for the NHS, along with a high severity alert system to identify and address critical vulnerabilities promptly.

The vulnerabilities exploited in this campaign were initially discovered on May 15 and have since been patched. The first signs of exploitation were noted following the reporting of two vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, which are associated with CVSS ratings of 5.3 and 7.2, respectively. These vulnerabilities were part of a chained attack, allowing attackers to bypass authentication and subsequently utilize remote code execution for malicious purposes.

The cybersecurity firm noted that the actors utilizing the Ivanti backdoor are believed to have connections to an IP address based in China. Their tactics resemble those of previous actors linked to Chinese state-sponsored threats, suggesting that the attack may originate from such entities.

Emran Ali, Associate Director of Cyber Security at Bridewell, emphasized the critical responsibility of healthcare organizations in safeguarding sensitive patient data. Successful cyberattacks not only risk data theft but can also lead to serious clinical implications due to manipulated or inaccessible records. Ali pointed out that a recent call from the NHS for technology vendors to commit to a public security charter indicates a significant shift toward greater accountability within the complex digital supply chain.

Addressing these vulnerabilities demands a comprehensive and ongoing approach to vendor management, technical controls, and incident response, enabling healthcare services to effectively protect patient safety while meeting contemporary digital requirements.

A recent report indicated that a substantial percentage of data policy violations pertain to regulated healthcare data protected under various legislative frameworks, highlighting the ongoing risks faced in this sector.