The Dutch National Institute for Public Health and the Environment (RIVM) temporarily took its website offline earlier this month after hackers exploited a vulnerability in an external web component to post unauthorized content, including a dog video and false information about diabetes.
The incident occurred on 14 October 2025, prompting the RIVM to close its site around 11:15 a.m. as a precaution. A spokesperson confirmed to NU.nl and NL Times that no sensitive systems or internal data were affected.
Preliminary analysis suggests that attackers leveraged a form submission plugin or external content handler to inject the material directly into the website’s public pages. The RIVM clarified that the attack did not involve ransomware or data theft, describing it instead as a “content injection” incident. The organization restored most of the website within hours but left interactive forms disabled pending a full security audit.
Security experts noted that such incidents illustrate the exposure risk of public-sector sites that rely on third-party modules or legacy plugins. Even non-critical websites can become channels for misinformation or reputational harm when input validation and access controls are insufficient.
The RIVM is conducting a technical review with its hosting provider and the National Cyber Security Centre (NCSC-NL) to assess whether similar vulnerabilities exist elsewhere across government-managed web services.