Cyber attack alert: NHS says hackers can take control of networks

NHS England has issued a high-severity cyber alert warning that a critical zero-day vulnerability in Fortinet’s FortiClient Endpoint Management Server is being actively exploited and could allow attackers to take over vulnerable servers without logging in.

In alert CC-4766, published on Tuesday, the NHS England National CSOC said CVE-2026-35616 affects FortiClient EMS versions 7.4.5 and 7.4.6 and allows remote code execution through crafted API requests. The agency said it was “almost certain” there would be further exploitation in the immediate future.

The flaw is an access control failure in the platform’s API, meaning an attacker needs no credentials and no user interaction to send malicious requests and run arbitrary code or commands with high privileges on the EMS server. It is being treated as a zero-day because exploitation was seen before a permanent fix was broadly available.

Fortinet disclosed the issue in advisory FG-IR-26-099 on 4 April and said the vulnerability had been observed being exploited in the wild. The company released out-of-band hotfixes for EMS 7.4.5 and 7.4.6 and said customers should install them immediately, then move to version 7.4.7 once it is available. NHS England’s alert repeats that advice. According to the NHS notice, FortiClient EMS 7.2.x is not affected.

Fortinet has assigned the bug a severity score of 9.1 out of 10. Some commercial security firms, including Tenable, have rated it even higher at 9.8, reflecting the fact that the attack can be carried out remotely, without authentication and without any action from a user.

The significance of the flaw lies in the role of FortiClient EMS itself. The software acts as a central management server for Fortinet’s endpoint security tools, allowing administrators to deploy clients, push policies, manage certificates and control protections across large numbers of devices. Security analysts say a successful compromise of the EMS server could give intruders a route to disable defences, distribute malicious software or move further into a victim’s network through a trusted administration channel.

The US Cybersecurity and Infrastructure Security Agency added CVE-2026-35616 to its Known Exploited Vulnerabilities catalogue on 6 April and ordered federal agencies to remediate by 9 April. Inclusion on the KEV list is generally reserved for flaws for which there is evidence of real-world attacks. Singapore’s Cyber Security Agency and other national cyber authorities have also issued alerts urging immediate hotfixing.

Researchers say suspicious activity began before the public advisory was released. WatchTowr said it saw exploitation attempts against its honeypots on 31 March. Fortinet credited Simo Kohonen of Defused Cyber and researcher Nguyen Duc Anh with reporting the vulnerability after it had been observed in use. Shadowserver, cited by SecurityWeek, has said about 2,000 internet-accessible FortiClient EMS instances are visible online, suggesting a sizeable potential attack surface.

No threat group has been publicly identified. However, security researchers say the bug is likely to be attractive to both ransomware operators and espionage actors because compromise of an EMS server can provide a path to multiple managed endpoints from a single system.

The latest warning comes only weeks after another critical FortiClient EMS flaw, CVE-2026-21643, was found to be under active exploitation. That earlier vulnerability, a SQL injection issue, had already raised concerns about internet-exposed EMS deployments. The emergence of a second unauthenticated FortiClient EMS flaw in quick succession is likely to intensify scrutiny of the product’s security and patching practices.

For UK organisations, the NHS alert is likely to resonate beyond the health service. Fortinet products are widely used across public sector, government and critical infrastructure networks, and the incident is expected to sharpen attention on vendor risk, internet-exposed management systems and the speed at which organisations apply fixes for vulnerabilities known to be under active attack.

No breaches linked to CVE-2026-35616 have yet been publicly confirmed in the UK. But with active exploitation already under way and public alerts now issued by Fortinet, CISA, NHS England and other cyber agencies, security teams are being urged to treat the flaw as an immediate incident-response priority rather than a routine software update.