Two Zero-Days, Zero Patches, Zero Excuses: Windows and Fortinet Are on Fire This Week
Tuesday 7 April 2026
Two working exploits. One published publicly by a frustrated researcher. The other confirmed in the wild by both the vendor and CISA. Neither fully patched. Both affecting systems that sit at the heart of UK small business infrastructure.
This is not a slow week.
BlueHammer: The Windows Zero-Day That Microsoft Didn’t Move Fast Enough to Stop
A security researcher operating under the alias Chaotic Eclipse has publicly released a working zero-day local privilege escalation exploit for Windows, called BlueHammer, along with full proof-of-concept source code on GitHub.
BlueHammer allows a low-privileged local user to escalate to NT AUTHORITY\SYSTEM, the highest privilege level on a Windows machine. That is not a minor issue. That is full control of the machine.
The disclosure was confirmed by vulnerability researcher Will Dormann. The exploit was demonstrated on a fully updated Windows 11 installation, Build 10.0.26200.8037. Machines running their latest patches are potentially affected.
The exploit output demonstrates credential-harvesting capabilities, displaying NTLM password hashes for local accounts including an administrative user, alongside confirmations of successful SYSTEM shell access.
Why did this reach public release? The researcher cited frustration with Microsoft’s Security Response Centre, attributing a decline in quality to Microsoft laying off experienced security personnel and replacing them with staff following rigid procedural flowcharts rather than exercising informed judgement.
A particularly notable detail: MSRC reportedly required the researcher to submit a video demonstration of the exploit as part of the reporting process, a requirement that many in the security community have found unusual and demanding. The researcher suggests this may have been a deliberate friction point that ultimately caused the case to stall without resolution.
This matters for one very practical reason. The working code is now public. Ransomware groups and advanced persistent threat actors frequently integrate publicly released proof-of-concept code into their toolkits within days of disclosure.
There is no CVE assigned yet. There is no Microsoft patch. There is no official advisory. There is only a live exploit on GitHub.
What BlueHammer Actually Does to a UK SMB
An attacker who obtains even minimal access to a Windows machine, via a phishing email, a compromised credential, a malicious attachment, anything that gives them a foothold as a low-privileged user, can now escalate directly to full SYSTEM access on that machine.
From SYSTEM, they can dump credentials, disable endpoint protection, install persistence mechanisms, and move laterally across a network. The initial access barrier is the only hurdle. Once cleared, this exploit flattens the privilege landscape completely.
For a small business where multiple staff share machines, where local admin rights are common, where endpoint detection and response is often lightweight or absent, this is a meaningful threat elevation.
The researcher acknowledged the exploit does not work with 100% reliability, but noted it functions well enough to be operationally useful. In the hands of a skilled threat actor, even a partially reliable privilege escalation exploit can be refined and weaponised.
This is not a theoretical risk. The code works. It is public. Threat actors are watching the same sources you are, and they move faster.
Fortinet FortiClient EMS: The Repeat Offender That Keeps Getting Worse
CISA added CVE-2026-35616, a critical improper access control vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), to its Known Exploited Vulnerabilities catalogue on 6 April 2026. Federal agencies were mandated to remediate by 9 April. A three-day window. That is how urgently CISA is treating this.
CVE-2026-35616 carries a CVSS score of 9.1 and is described as a pre-authentication API access bypass leading to privilege escalation. The vulnerability allows an unauthenticated attacker to sidestep API authentication and authorisation protections and execute malicious code or commands via specially crafted HTTP requests.
The issue affects FortiClient EMS versions 7.4.5 through 7.4.6, while the 7.2 branch remains unaffected.
Let that land. An attacker with no credentials, no account, no prior access, can send a crafted HTTP request to an internet-facing FortiClient EMS server and execute arbitrary code. Pre-authentication means the normal access controls simply do not apply. The door opens before you even ask for a key.
Active exploitation was first recorded on 31 March 2026, according to Benjamin Harris, CEO at watchTowr, whose honeypot infrastructure captured exploitation attempts. That is over a week of active exploitation before most organisations were aware there was a problem.
Shadowserver has found over 2,000 publicly accessible FortiClient EMS instances online. UK-specific exposure figures were not separately published, but FortiClient EMS is widely deployed in UK enterprises and mid-market organisations.
The Second Strike: CVE-2026-21643 Is Also Being Exploited
A week before CVE-2026-35616 emerged, Defused reported active exploitation of CVE-2026-21643, a critical SQL injection vulnerability affecting FortiClient EMS. Fortinet’s advisory was subsequently updated to reflect that exploitation had been observed.
Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely.
Two separate critical flaws. Both actively exploited. Both in the same product. Both within weeks of each other.
CISA has added 10 Fortinet defects to its Known Exploited Vulnerabilities catalogue since early 2025. That is not a product with an isolated patching problem. That is a pattern that defenders need to treat as a signal about persistent attacker interest.
Caitlin Condon, vice president of security research at VulnCheck, noted that Fortinet solutions are popular targets for threat actors generally, so exploitation is not necessarily surprising. That observation, while accurate, should be deeply uncomfortable for any organisation with FortiClient EMS internet-accessible. “Popular target” is a polite way of saying actively hunted.
The EMS Attack Surface Problem
The EMS telemetry endpoint typically needs to be internet-accessible to receive telemetry from enrolled endpoints. This significantly widens the attack surface for this vulnerability.
This is the fundamental structural problem. FortiClient EMS is designed to manage endpoint security across distributed workforces. To do that job, it needs to be reachable. And because it needs to be reachable, it is reachable to attackers as well.
Fortinet confirmed observing exploitation of CVE-2026-35616 in the wild and urged vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6. The upcoming FortiClient EMS 7.4.7 will also include a fix, but 7.4.7 is not yet available.
A hotfix is not a patch. It is a targeted remediation applied to an existing build. It is better than nothing. It is not the same as a properly patched release.
What These Two Vulnerabilities Mean Together
Running both stories side by side reveals something instructive about the current threat landscape.
On one side: BlueHammer, a post-exploitation privilege escalation tool that becomes devastating once an attacker has any foothold on a Windows machine. On the other: CVE-2026-35616, a pre-authentication remote code execution vulnerability that hands attackers an initial foothold on a network-facing server.
These are complementary capabilities. A threat actor using CVE-2026-35616 to gain initial access to an EMS server could use a tool like BlueHammer to escalate from that initial access to full system control on any Windows machine they pivot to.
Neither vulnerability requires the other. But together, in the same week, with no complete fixes available for either, they represent a materially elevated risk environment. Threat actors routinely chain publicly available exploits. The code for BlueHammer is on GitHub. The exploitation methods for CVE-2026-35616 are confirmed in the wild.
How to Turn This Into a Competitive Advantage
There is a version of this week’s news that becomes a business conversation rather than a crisis response.
Businesses that have a documented vulnerability management process, with a clear escalation path for critical vulnerabilities and a track record of acting quickly, are materially lower-risk counterparties. That matters to clients in regulated industries. It matters to insurers. It increasingly matters to procurement teams running vendor risk assessments.
If your organisation was able to respond to both of this week’s vulnerabilities within 48 hours: identify exposure, apply remediations, verify through EDR that no exploitation occurred, and document the response, that is a governance story. It demonstrates that your security programme is operational, not theoretical.
The businesses that will struggle this week are those that do not know whether FortiClient EMS is deployed, do not have EDR with privilege escalation alerting configured, and are waiting for next month’s patch cycle as if this week is normal.
The businesses that will use this week as an advantage are the ones that can demonstrate to clients, insurers, and their own boards that their response to active threats is measured and rapid.
How to Sell This to Your Board
The board conversation about vulnerability management is often frustrating because the stakes are abstract until something goes wrong. This week’s events provide concrete language.
CISA issued a three-day remediation deadline for a Fortinet vulnerability that is being actively exploited. Three days. Not three weeks. Not the next patch cycle. Three days, because the risk of inaction over a longer period is considered unacceptable by the US government’s primary cybersecurity authority. While that directive applies to US federal agencies, the underlying risk is identical for UK organisations.
The BlueHammer situation illustrates a different board-level risk: the gap between when a working exploit becomes public and when an organisation applies a remediation. Every day between a researcher publishing proof-of-concept code and your organisation having a defence is a day where a motivated attacker has a playbook and you do not.
Three arguments for investment in rapid vulnerability response capability:
First, the regulatory angle. UK Cyber Essentials Plus requires organisations to apply critical patches within 14 days. For actively exploited vulnerabilities with public exploit code, 14 days is the compliance floor, not the security target. Insurers are increasingly scrutinising patch velocity as a risk indicator.
Second, the supply chain angle. If your MSP manages your Fortinet estate or your Windows patching and cannot demonstrate they identified and actioned both of this week’s vulnerabilities promptly, you have a governance question about whether your security posture is actually being managed on your behalf.
Third, the reputational angle. A breach stemming from a known, publicly disclosed vulnerability with available remediations is the hardest kind to defend to customers, to the ICO, and to the press. “We knew about it and hadn’t acted” is not a position any board wants to be in.
What This Means for Your Business
These are not recommendations for Q3’s patch cycle. These are actions for the next 48 hours.
1. Audit your FortiClient EMS deployment. Determine immediately whether FortiClient EMS is deployed in your environment and which version is running. If you use an MSP, ask them directly and expect a documented answer, not reassurance. Versions 7.4.5 and 7.4.6 are affected. Version 7.2 is not.
2. Apply the Fortinet hotfix without delay. If FortiClient EMS 7.4.5 or 7.4.6 is deployed, apply Fortinet’s emergency hotfix immediately. Do not wait for version 7.4.7. Also apply the earlier patch for CVE-2026-21643 if not yet done.
3. Review EMS internet exposure. If FortiClient EMS is internet-accessible, assess whether IP allowlisting or VPN-gating the management interface can reduce the attack surface. If your EMS was exposed and unpatched since 31 March, treat it as potentially compromised and review logs for anomalous API requests to authentication endpoints.
4. Check EDR alerting for privilege escalation. Configure your endpoint detection and response tooling to flag anomalous SYSTEM-level process spawning, specifically processes originating from low-privileged user sessions. This is your primary detection layer for BlueHammer until a patch is available.
5. Restrict local Windows user rights. If standard user accounts in your environment carry local administrator rights, that is an immediate amplifier for BlueHammer and a standing security problem regardless. Limit local admin rights to accounts that genuinely require them, and document the exceptions.
Related Posts: