CRITICAL 3 min read 17 Apr 2026

Fortinet FG-IR-26-099 — Critical FortiOS RCE Triggers NHS England Alert

An unauthenticated FortiOS RCE rated CVSS 9.1 has triggered NHS England alert CC-4766, signalling sector-specific urgency. Healthcare and critical infrastructure organisations running Fortinet edge appliances should treat this as immediate exposure-validation work.

Key findings
01
Fortinet FG-IR-26-099 Unauthenticated RCE
CRITICAL
[High] A critical vulnerability in FortiOS has surfaced with CVSS 9.1 severity. NHS England has issued alert CC-4766 for healthcare-sector exposure specifically. The flaw permits unauthenticated remote code execution on affected FortiOS devices, placing perimeter appliances directly at risk.
02
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV
HIGH
[High] CVE-2026-34197 affects ActiveMQ versions below 5.19.4 and 6.0.0–6.2.2. The attack path uses Jolokia JMX-HTTP bridging to achieve remote code injection. CISA has set a remediation deadline of 30 April for federal agencies.
CVE-2026-34197
03
Ivanti Connect Secure Zero-Days Under Active Exploitation
CRITICAL
[High] Orange Cyberdefense reporting links CVE-2025-0282 and CVE-2025-0283 to active exploitation by UNC5337. CVE-2025-0282 is an unauthenticated RCE in Connect Secure; CVE-2025-0283 is a local privilege escalation. CVSS scores are 9.0 and 7.0 respectively.
CVE-2025-0282
04
RedSun Windows Defender Local Privilege Escalation
HIGH
[Medium] A researcher-disclosed vulnerability in Windows Defender reportedly abuses the file-restoration path to achieve SYSTEM privileges from standard user context. Public proof-of-concept code is circulating.
05
Update: UK AI Threat Warning Sharpens to Banking-Sector Response
HIGH
[High] Confidence: High Previously covered 16 April 2026; today's delta: Bank of England briefings for UK banks are now scheduled within a fortnight, with ECB coordination and concrete capability claims around autonomous attack simulation and exploit generation now added.
06
Update: Russia-Linked Sabotage Pressure Against European CNI
HIGH
[High] Confidence: High Previously covered 16 April 2026; today's delta: Sweden and Poland incidents are now cited as specific evidence of cyber-kinetic intent targeting heating, power, and OT-linked infrastructure.
07
CVE-2009-0238 Revived in CISA KEV
HIGH
[Medium] Confidence: Medium A 17-year-old Office RCE has resurfaced on CISA's KEV list. The implication is clear: exploitable legacy Office exposure persists in real environments. Treat this as an asset-hygiene check for estates still running outdated Office versions.
CVE-2009-0238
08
Autovista Ransomware Disruption
HIGH
[Medium] Confidence: Medium UK-headquartered automotive data provider Autovista has confirmed ransomware disruption affecting valuation tools and email services across Europe and Australia. No CVE cited; attribution and data-loss scope remain open.
09
FreeBSD NFS CVE-2026-4747
MEDIUM
[Low] Confidence: Low An AI-assisted research signal surfaced this older NFS vulnerability; technical detail remains limited. Hosting and infrastructure operators with FreeBSD footprint should monitor for patch guidance before this matures into broader action.
CVE-2026-4747

Fortinet FG-IR-26-099 — Critical FortiOS RCE Triggers NHS England Alert

Fortinet FG-IR-26-099 Unauthenticated RCE

Confidence: High

A critical vulnerability in FortiOS has surfaced with CVSS 9.1 severity. NHS England has issued alert CC-4766 for healthcare-sector exposure specifically. The flaw permits unauthenticated remote code execution on affected FortiOS devices, placing perimeter appliances directly at risk.

Fortinet estates underpin remote-access VPNs, site-to-site connectivity, and cloud gateway functions in thousands of organisations. When the NHS singles out a vendor alert for escalation, the operational signal is clear: this is a validate-exposure-now event, not a patch-when-convenient advisory.

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV

Confidence: High

CVE-2026-34197 affects ActiveMQ versions below 5.19.4 and 6.0.0–6.2.2. The attack path uses Jolokia JMX-HTTP bridging to achieve remote code injection. CISA has set a remediation deadline of 30 April for federal agencies.

ActiveMQ sits in enough middleware stacks that this is an asset-inventory and validation problem, not merely an advisory note. If your estate runs message brokers with Jolokia exposed, the countdown is now measurable in days.

Ivanti Connect Secure Zero-Days Under Active Exploitation

Confidence: High

Orange Cyberdefense reporting links CVE-2025-0282 and CVE-2025-0283 to active exploitation by UNC5337. CVE-2025-0282 is an unauthenticated RCE in Connect Secure; CVE-2025-0283 is a local privilege escalation. CVSS scores are 9.0 and 7.0 respectively.

VPN appliances remain premium entry points. The combination of unauthenticated remote access and confirmed in-the-wild exploitation places Ivanti Connect Secure at top of the validation queue for any organisation with remote-access dependencies.

RedSun Windows Defender Local Privilege Escalation

Confidence: Medium

A researcher-disclosed vulnerability in Windows Defender reportedly abuses the file-restoration path to achieve SYSTEM privileges from standard user context. Public proof-of-concept code is circulating.

With Defender ubiquitous across Windows estates, this becomes relevant for ransomware post-compromise escalation and credential-access scenarios. Monitor for vendor patch guidance and consider detection tuning for anomalous Defender restoration activity.

Update: UK AI Threat Warning Sharpens to Banking-Sector Response

Confidence: High

Previously covered 16 April 2026; today's delta: Bank of England briefings for UK banks are now scheduled within a fortnight, with ECB coordination and concrete capability claims around autonomous attack simulation and exploit generation now added.

Update: Russia-Linked Sabotage Pressure Against European CNI

Confidence: High

Previously covered 16 April 2026; today's delta: Sweden and Poland incidents are now cited as specific evidence of cyber-kinetic intent targeting heating, power, and OT-linked infrastructure.

CVE-2009-0238 Revived in CISA KEV

Confidence: Medium

A 17-year-old Office RCE has resurfaced on CISA's KEV list. The implication is clear: exploitable legacy Office exposure persists in real environments. Treat this as an asset-hygiene check for estates still running outdated Office versions.

Autovista Ransomware Disruption

Confidence: Medium

UK-headquartered automotive data provider Autovista has confirmed ransomware disruption affecting valuation tools and email services across Europe and Australia. No CVE cited; attribution and data-loss scope remain open. Useful sector signal for automotive-adjacent supply-chain risk.

FreeBSD NFS CVE-2026-4747

Confidence: Low

An AI-assisted research signal surfaced this older NFS vulnerability; technical detail remains limited. Hosting and infrastructure operators with FreeBSD footprint should monitor for patch guidance before this matures into broader action.

Why This Matters

Today's findings centre on perimeter and middleware pressure. Fortinet, ActiveMQ, Ivanti, and even Defender represent widely deployed infrastructure facing immediate risk. The NHS England alert on Fortinet signals sector-specific urgency that lifts this above routine patch management. ActiveMQ's April 30 deadline and Ivanti's confirmed exploitation create measurable time pressure. The RedSun disclosure adds post-compromise concern for Windows estates.

Updated AI-threat and CNI sabotage reporting moves from strategic background to board-level operational planning, particularly for financial services and utility clients.

  • Recommended Actions
  • Validate Fortinet FG-IR-26-099 exposure immediately; prioritise healthcare-adjacent estates
  • Inventory ActiveMQ deployments and confirm Jolokia/JMX-HTTP exposure status before 30 April
  • Check Ivanti Connect Secure patch status; assume active targeting based on UNC5337 linkage
  • Monitor Windows Defender for anomalous file-restoration activity; await vendor patch for RedSun
  • Review legacy Office installations for CVE-2009-0238 exposure
  • Brief financial-sector clients on Bank of England AI-threat briefings
  • Review OT-adjacent remote access segregation for utility and industrial accounts

All findings grounded in A13E intelligence sweeps through 04:30 UTC 17 April 2026.

cve-2009-0238cve-2025-0282cve-2026-34197cve-2026-4747cvss-9.1fortinetfortioshealthcarenhs-englandunauthenticated-rce

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed