NHS England has issued a high-severity cyber alert warning that a critical zero-day vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) is being actively exploited and could allow attackers to take over vulnerable servers — without ever logging in.
In alert CC-4766, published on 7 April 2026, the NHS England National Cyber Security Operations Centre (CSOC) confirmed that CVE-2026-35616 affects FortiClient EMS versions 7.4.5 and 7.4.6, and allows remote code execution through crafted API requests. The CSOC assessed it was "almost certain" there would be further exploitation in the immediate future.
The flaw has been added to the US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and federal agencies have been ordered to remediate by 9 April. Singapore's Cyber Security Agency and other national cyber authorities have also issued alerts urging immediate action.
This is not a theoretical risk — and the consequences of exploitation go far beyond a single compromised machine.
The vulnerability is an access control failure in the FortiClient EMS API. An attacker needs no credentials, no user interaction, and no privileged position on the network. They simply send malicious requests to the exposed server and can run arbitrary code or commands with high privileges on the EMS server.
FortiClient EMS acts as a central management server for Fortinet's endpoint security tools, allowing administrators to deploy clients, push security policies, manage certificates, and control protections across large numbers of devices — potentially an entire organisation's endpoint estate.
Security analysts say a successful compromise of the EMS server could give attackers the ability to:
In short: compromising the EMS server hands an attacker the keys to the kingdom. Rather than having to attack endpoints one by one, a single successful exploit could give them centralised control over an organisation's entire endpoint security infrastructure.
Researchers at WatchTowr reported seeing exploitation attempts against their honeypots as far back as 31 March, before the public advisory was even released. Shadowserver has identified approximately 2,000 internet-accessible FortiClient EMS instances visible online, indicating a significant potential attack surface.
While no specific threat group has been publicly identified, security researchers have noted the bug is likely to be attractive to both ransomware operators and espionage actors, given the level of access a compromised EMS server provides.
Fortinet has assigned CVE-2026-35616 a CVSSv3 score of 9.1 out of 10. Some commercial security firms, including Tenable, have rated it even higher at 9.8, reflecting the fact that the attack can be carried out remotely, without authentication, and without any user action.
This vulnerability is being treated as a zero-day because active exploitation was observed before a permanent fix was broadly available. It is the second unauthenticated critical flaw in FortiClient EMS to emerge in quick succession, following CVE-2026-21643, a SQL injection vulnerability that was also found under active exploitation. The pattern is expected to intensify scrutiny of the product's security and the speed at which organisations apply patches.
The following FortiClient EMS versions are confirmed as vulnerable:
FortiClient EMS 7.2.x is not affected.
If you are a technology supplier, managed service provider (MSP), or third-party vendor that manages, supports, or provides FortiClient EMS environments on behalf of NHS organisations or other clients, you have an urgent and immediate responsibility to act.
Audit your client environments now. Identify every client environment where FortiClient EMS 7.4.5 or 7.4.6 is deployed. Do not wait for clients to raise this with you — proactive outreach is expected and, in many cases, required under your service agreements.
Notify affected clients without delay. Contact all clients running vulnerable versions and inform them of the risk clearly. Provide a remediation timeline and explain what actions you are taking on their behalf. Transparency is critical, particularly for NHS and public sector clients who may have their own reporting obligations.
Apply patches as a P1 incident — not a routine update. Given active exploitation and CISA's KEV listing, standard patching SLAs are not sufficient. Hotfixes for versions 7.4.5 and 7.4.6 should be applied within 24–48 hours wherever operationally possible.
Document everything. Maintain a clear audit trail of when you became aware of the vulnerability, which client environments were assessed, and when patches were applied. This documentation may be required by clients, regulators, or in the event of a subsequent incident investigation.
Plan for the 7.4.7 upgrade now. Begin coordinating with clients ahead of the version 7.4.7 release so the upgrade can be executed promptly without delays caused by change management processes.
Know your supply chain obligations. If you supply into NHS organisations, failure to notify clients of a known critical vulnerability or to apply patches in a timely manner could constitute a breach of your contractual and regulatory duties. Any suspected compromise within a client environment must be reported immediately to the NHS CSOC.
Fortinet has released out-of-band hotfixes for both affected versions. These must be installed as soon as possible:
A permanent fix will be included in the upcoming version 7.4.7. All organisations should upgrade as soon as it becomes available. The hotfix is sufficient to prevent exploitation in the interim.
Review the full Fortinet PSIRT Advisory FG-IR-26-099 for the latest guidance, indicators of compromise, and additional technical detail.
NHS organisations and healthcare providers that suspect compromise should contact the NHS CSOC immediately:
For UK organisations, this alert carries significance well beyond the NHS. Fortinet products are widely deployed across the public sector, government, and critical infrastructure networks. The incident is expected to sharpen attention on vendor risk, internet-exposed management systems, and the speed at which organisations act on vulnerabilities known to be under active attack.
No breaches linked to CVE-2026-35616 have yet been publicly confirmed in the UK, but with active exploitation already underway and alerts issued by Fortinet, CISA, NHS England, and other national cyber agencies, security teams should treat this as an immediate incident-response priority, not a routine software update.