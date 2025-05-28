Two healthcare organizations in the UK are said to be among the victims of a malicious campaign involving the exploitation of a vulnerability linked to cybersecurity hardware provider Ivanti.

According to Netherlands-based cybersecurity company EclecticIQ, threat actors have attempted to exploit a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).

The campaign targeted a wide range of organizations across several countries, including Scandinavia, the UK, the US, Germany, Ireland, South Korea and Japan.

In the UK, two National Health Service (NHS) England trusts are among the targets and may have seen patient data exposed in the wild, according to EclecticIQ.

These are the University College London Hospitals NHS Foundation Trust and the University Hospital Southampton NHS Foundation Trust.

In a recent report, Sky News stated that it had been shown evidence indicating that both trusts have had their IT systems accessed maliciously.

Cody Barrow, CEO of EclecticIQ, also told Sky News that such an attack raises the "potential for unauthorized access to highly sensitive patient records,” including staff phone numbers, IMEI numbers and technical data like authentication tokens.

However, sources close to the matter told Infosecurity that there is currently no evidence to suggest patient data has been accessed.

Speaking to Infosecurity, NHS England said it is monitoring the situation and collaborating with the UK’s National Cyber Security Centre (NCSC).

“Health services are not currently affected, and patients should continue to use NHS services as normal,” an NHS England spokesperson also told Infosecurity.

“NHS England provides 24/7 cyber monitoring and incident response across the NHS, and we have a high severity alert system that enables trusts to prioritize the most critical vulnerabilities and remediate them as soon as possible,” they added.

Chained Exploit of Ivanti Vulnerabilities

According to the Sky News report, the Ivanti vulnerability exploited in this campaign was first discovered on May 15 and has since been fixed.

This could be linked to two recent vulnerabilities in Ivanti EPMM that were reported to the manufacturer by the CERT-EU on May 13.

These two vulnerabilities, CVE-2025-4427 and CVE-2025-4428, with CVSS ratings of 5.3 and 7.2, respectively, were observed being exploited in the wild in a chained attack, as reported in a May 13 advisory by Ivanti.