Norwegian Security and Service Organisation
Norwegian government organisation; earlier victim of Ivanti EPMM zero-days; precedent for May 2026 CVE-2026-6973.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Three years after Norway's Ivanti breach, why are governments still using the same vulnerable MDM software?
Timeline for Norwegian Security and Service Organisation
Named as prior victim of Ivanti EPMM zero-days in the same product line
Cybersecurity: Threats and Defences: Ivanti EPMM logs fourth KEV zero-day since 2023- Was the Norwegian government hacked through Ivanti EPMM?
- Yes. In 2023, the Norwegian Security and Service Organisation (NSSO), which manages services for government ministries, confirmed it was compromised through a zero-day in Ivanti EPMM (CVE-2023-35078), the first in a series of four Ivanti MDM zero-days to reach CISA's KEV by May 2026.Source: Norway NSM / NSSO
- What is the Norwegian Security and Service Organisation?
- The NSSO is a Norwegian government body managing shared IT services and physical security for the Storting (Parliament) and government ministries. It became a named victim of the first Ivanti EPMM zero-day exploitation in 2023.
- What is CVE-2026-6973 in Ivanti EPMM and why does it affect Norway?
- CVE-2026-6973 is the fourth Ivanti EPMM zero-day to reach CISA's KEV catalogue since 2023. Norway is notable because the NSSO was a confirmed victim of the first Ivanti EPMM zero-day (CVE-2023-35078) in 2023, making Norwegian government systems a repeated focus in this vulnerability series.Source: CISA / Norway NSM
- Why does Ivanti EPMM keep having zero-day vulnerabilities?
- Ivanti EPMM has logged four KEV zero-days since 2023, suggesting sustained attacker focus on Mobile Device Management software used by government and enterprise customers. MDM products are high-value targets because they manage credentials and access across entire device fleets.Source: CISA
Background
The Norwegian Security and Service Organisation (NSSO) is a Norwegian government body responsible for managing shared services and security for the Norwegian Parliament (Storting) and government ministries. In 2023, the NSSO was one of the first publicly confirmed victims of a zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), an attack that compromised internal government ministry networks. The incident became a landmark case in the record of Ivanti EPMM zero-day exploitation.
The 2023 NSSO compromise was attributed to a threat actor exploiting CVE-2023-35078, the first of what would become a series of Ivanti MDM zero-days. Norway's National Security Authority (NSM) and the NSSO responded publicly, making it one of the highest-profile government disclosures in the EPMM zero-day series. The incident informed subsequent Ivanti security guidance and contributed to the Norwegian government's calls for vendor accountability in Mobile Device Management security.
By May 2026, CVE-2026-6973 in Ivanti EPMM became the fourth such vulnerability to reach CISA's KEV catalogue since 2023. The NSSO's earlier experience establishes why government agencies' use of Ivanti EPMM is a persistent strategic vulnerability, particularly for organisations managing mobile access to classified or sensitive government systems.