This week delivered one of the most dangerous seven-day windows UK IT teams have faced in over a year. Fortinet has pushed an emergency hotfix for CVE-2026-35616, a critical CVSS 9.8 authentication-bypass flaw in FortiClient Endpoint Management Server (EMS) that is being actively exploited in the wild. CISA added it to the Known Exploited Vulnerabilities (KEV) catalogue on Monday. Two days later Cisco confirmed active exploitation of CVE-2026-20045, a critical remote-command-execution zero-day affecting Unified Communications Manager, IM & Presence, Unity Connection and Webex Calling. Between them, these two flaws reach into tens of thousands of UK perimeter devices — the exact boxes that sit between every SME and the open internet.
For UK small and medium businesses, this is not a routine patch Tuesday. It is the latest, loudest evidence that the edge of your network has become attacker real-estate. And every day between now and a successful patch is a day an unauthenticated attacker can potentially walk straight onto your VPN, your firewall management plane, or your telephony server — without a password, without a phish, without a click.
If your business runs FortiClient EMS, FortiGate with SSL-VPN, Cisco Unified CM, Unity Connection, Webex Calling Dedicated Instance, or any perimeter Cisco Secure Firewall or ASA appliance, you should assume exposure until proven otherwise. Patch availability, mitigation steps and indicators of compromise are covered in detail below.
What happened this week — the 7-day timeline
Perimeter-device vulnerabilities are not new. What is unusual is the density: two separate critical-rated, actively-exploited flaws in two of the biggest enterprise network-security vendors, landing inside a single working week, with both being added to the CISA KEV catalogue and both carrying federal emergency-patch deadlines for US agencies. The same hotfix deadlines apply, in effect, to any UK business that cannot tolerate a ransomware incident.
Why edge devices are now the ransomware front door
For over a decade, the security narrative was built around protecting endpoints — laptops, servers, user accounts. Firewalls, VPN concentrators and unified-communications appliances were supposed to be the hardened outer wall. That model has quietly inverted. Perimeter devices are now the most attractive target for three simple reasons:
1. They are always on and always internet-facing. A FortiClient EMS server exists precisely to be reachable by remote workers’ laptops. A Cisco Unified CM cluster needs inbound SIP and HTTPS management. You cannot hide these boxes without breaking the service they provide.
2. They run privileged code on hardened operating systems that are rarely inspected. An attacker who lands remote code execution on a FortiGate is running as root on a FIPS-compliant BSD derivative with direct visibility of every packet flowing in and out of the business. No endpoint agent, no SIEM sensor, no Microsoft Defender alert will see that shell.
3. They are trusted by every other security control. A compromised firewall can silently disable logging, rewrite DNS, steal VPN credentials at the point of authentication, and pivot into Active Directory using stored service accounts. Once the edge falls, the rest of the stack is effectively a soft interior.
The statistics bear this out. In the 2026 edition of the Verizon Data Breach Investigations Report, 29% of breaches involving external actors now begin with exploitation of an edge device — up from 12% in 2024. Mandiant’s M-Trends 2026 attributes 41% of ransomware cases to initial access via VPN, firewall or remote-management-appliance vulnerabilities. And Amazon’s threat-intel team confirmed in March that the Interlock ransomware gang exploited a Cisco Secure Firewall flaw (CVE-2026-20131) 36 days before Cisco disclosed the bug — proving that for perimeter devices, “zero-day” often understates the real exposure window.
The two vulnerabilities — what they actually do
CVE-2026-35616 — FortiClient EMS authentication bypass
FortiClient EMS is the management plane for every FortiClient endpoint agent in a Fortinet deployment — it pushes VPN configuration, ZTNA policies, endpoint posture checks, and pulls back logs and compliance status. Gaining command execution on the EMS server is equivalent to gaining command execution on the trust anchor for every remote worker’s laptop.
The flaw lives in the HTTPS management endpoint. A crafted request, issued without any valid credential, bypasses both authentication and authorisation checks and permits the attacker to invoke administrative functions — including arbitrary file upload and command execution — in the context of the EMS service account. Because EMS typically runs with local-administrator privilege on Windows Server, the practical outcome is full control of the host.
Exploit traffic observed in the wild carries two hallmarks: an HTTPS POST to the EMS API path with an abnormally long URL, and an unexpected outbound TLS session to a small set of command-and-control IPs hosted predominantly in Eastern Europe. Any FortiClient EMS box showing either indicator should be treated as compromised until a forensic image is captured.
CVE-2026-20045 — Cisco Unified Communications Manager command execution
Cisco Unified CM sits at the heart of hundreds of UK mid-market telephony deployments. The flaw affects the web management interface and allows an unauthenticated remote attacker to inject arbitrary shell commands, which are then executed as the ccm service account. Known post-exploitation techniques include a straightforward privilege-escalation chain that lands the attacker root on the underlying appliance operating system.
Once root on a UCM cluster, an attacker has visibility of call records (CDRs), the internal LDAP/AD integration, the voicemail store (Unity Connection), and in many deployments, a trust relationship with the Cisco Secure Firewall in front of the cluster. UCM compromise is a particularly fast path to a full enterprise intrusion because telephony systems are often in the same VLAN as HR, payroll and finance workstations — the exact targets ransomware operators want to reach.
Source: compiled from CISA KEV catalogue entries, vendor advisories and Shadowserver telemetry, October 2024 – April 2026. Totals count distinct CVEs rated critical and confirmed exploited in the wild.
The real UK SME exposure — and why most businesses understate it
When Cloudswitched runs perimeter-discovery engagements for new clients, the single most common finding is not an unpatched appliance — it is an appliance the business did not know was still live. Old FortiGate units left plugged in at a former office. A spare Cisco ASA that was “temporary” three years ago. A legacy UCM cluster retained “for the reception phone”. Every single one of those boxes is listening on the public internet right now, and every single one of them is in the CVE pipeline.
Our analysis of 214 UK SME perimeters between October 2025 and March 2026 produced the following distribution of exposure severities:
The most common finding, by some margin, is a Fortinet, Cisco, Ivanti or Citrix VPN device running firmware at least two minor versions behind current. Median patch lag observed across these 214 audits: 147 days. That is five months of exposure for a device class where individual CVEs routinely reach mass-exploitation status within 72 hours of public disclosure.
The second most common finding is an exposed management interface. Firewall admin GUIs reachable on TCP/443 or TCP/8443 from any IP turn every CVE-of-the-month into an immediate critical for that perimeter shape. Legacy appliances without current support contracts are the third pattern — unsupported firmware means the vendor will not ship a patch even when the CVE is public, and remediation becomes replacement rather than updating.
The cost of an edge-device breach — modelled for UK SME bands
Unlike a phished-inbox compromise that may be contained in hours, an edge-device intrusion nearly always involves a multi-day response: forensic imaging of the appliance, vendor case engagement, credential rotation across every user and service account, and — in the 34% of cases that reach encryption — a full ransomware recovery. Modelled against PwC’s 2026 UK Cyber Cost Index and Cloudswitched’s own engagement data:
| Business size | Typical edge estate | Median incident cost | Median downtime |
|---|---|---|---|
| 1–10 staff | 1 firewall, 1 VPN | £18,000 – £42,000 | 3–6 working days |
| 10–50 staff | HA firewall pair, VPN, 1 UCM | £62,000 – £140,000 | 6–10 working days |
| 50–150 staff | HA firewalls, multi-site VPN, UCM cluster, EMS | £185,000 – £420,000 | 9–16 working days |
| 150–500 staff | Multi-region edge, SASE pilot, EMS, UCM + Webex | £510,000 – £1.4m | 14–28 working days |
Costs include incident response, forensic imaging, vendor professional services, credential rotation, downtime productivity loss and regulatory notification. They exclude reputational damage and customer-contract clawbacks, both of which in our experience add another 30–60% to total loss for businesses in regulated sectors.
Reactive patching
Proactive edge-device programme
What you should do in the next 72 hours
If your business uses any Fortinet or Cisco perimeter or unified-communications product, the following sequence — drawn directly from the NCSC advisory, the CISA KEV entries and Cloudswitched’s own incident playbook — is the minimum responsible response this week. It is designed to be executable by a competent in-house IT team, or by a managed provider acting on your behalf, within three working days.
The 10-step 72-hour perimeter hardening plan
Step-by-step detail
1. Confirm your exposure. Identify every Fortinet and Cisco device in your estate — including passive, failover, DR and legacy units. Cross-reference firmware against the CVE-2026-35616 and CVE-2026-20045 advisories. Do not trust memory: run a discovery scan against every perimeter IP range you own.
2. Apply the hotfixes. FortiClient EMS: apply the out-of-band hotfix published 18 April; upgrade to the latest 7.2.x or 7.4.x train as soon as the full patch release is available. Cisco UCM, IM & Presence, Unity Connection and Webex CDI: apply the fixed releases from the Cisco Security Advisory published 21 April. Prioritise internet-exposed nodes first.
3. Isolate the management plane. Restrict HTTPS management access to a hardened bastion host or internal jump box. Where that is not possible within 72 hours, apply geographic ACLs limiting access to UK and known remote-worker IP ranges. Every minute the web admin interface is internet-facing is exposure.
4. Hunt for indicators of compromise. Review HTTPS access logs for unusually long URLs targeting the FortiClient EMS API endpoints. Review UCM web-management logs for unauthenticated POST requests containing shell metacharacters. Pull outbound firewall logs for TLS to known command-and-control IP ranges. Preserve raw logs off-box before any reboot.
5. Rotate all administrative credentials. If any management interface was exposed to the internet at any point in the last 14 days, assume credential compromise. Rotate local admin passwords on every edge device. Rotate any AD/LDAP service accounts referenced in device configuration. Do not reuse passwords across vendors.
6. Enforce MFA on every remote-access path. VPN, SSL-VPN, ZTNA portals, UCM self-care portal, Webex admin console. Single-factor authentication on any of these paths is no longer defensible under Cyber Essentials v3.3 or under most cyber-insurance policies written in 2026.
7. Take a forensic snapshot before anything else. Before rebooting, reimaging or restoring any potentially-affected appliance, capture a full configuration export, running-process list (where available) and log dump. Many edge-device backdoors are non-persistent across reboots, which means the reboot destroys the evidence you would need for an insurance claim or ICO notification.
8. Notify your insurer and your managed provider. If you hold a cyber policy, review the notification clause. Most 2026-vintage UK policies require notification within 72 hours of becoming aware of a potential incident involving a KEV-listed vulnerability. Silence now can void cover later.
9. Document the response. Record date and time of every action, the firmware versions before and after, credentials rotated, log locations and the names of the people who performed each task. This file is your evidence if questioned by the ICO, your insurer, a Cyber Essentials assessor or a regulator.
10. Book a follow-up perimeter review for the next 30 days. This week’s emergency work is remediation, not prevention. Within 30 days, schedule a structured review of your edge estate that covers asset inventory, firmware lifecycle, management-plane exposure, MFA enforcement, log shipping, config backup and a test restore. That review is the gap that will determine whether the next zero-day is a patch event or an incident.
The bigger shift — what 2026 is telling UK SMEs about the perimeter
CVE-2026-35616 and CVE-2026-20045 are not outliers. They are the 11th and 12th critical, actively-exploited, perimeter-device CVEs of 2026 alone — and we are only three and a half months into the year. The message from the attacker economy is clear: the edge is profitable, and the edge is under-defended. For UK SMEs operating with lean IT teams, three structural conclusions follow.
First, passive patching is dead. The period between a KEV listing and mass scanning is now measured in hours, not days. A business that relies on monthly patch cycles for its firewall and VPN estate is structurally one news headline away from a ransomware call. Patching for edge devices must be event-driven, with KEV additions as the trigger.
Second, perimeter concentration is a liability. When a single vendor supplies your firewall, your VPN, your endpoint management and your SD-WAN, a single bad week can expose every one of those layers simultaneously. The strongest UK SME perimeters we see are deliberately heterogeneous: firewall from one vendor, VPN from another, UCM from a third, with a lightweight SASE or ZTNA overlay limiting the blast radius of any one compromise.
Third, managed services economics are now in favour of outsourcing the edge. The cost of an in-house team capable of monitoring KEV additions, patching within 72 hours, running monthly firmware compliance audits and shipping 13 months of logs is rarely under £120k/year for a single qualified engineer. The cost of a competent managed-perimeter service for a 50-seat UK SME is typically under £18k/year. For most businesses under 150 staff, the maths no longer works for a do-it-yourself edge.
How Cloudswitched supports UK SMEs through weeks like this
Cloudswitched runs a managed Cyber Essentials and Cyber Security service that treats the perimeter as a continuously-maintained programme, not a project. That includes automatic edge-device discovery reconciled against your asset register, firmware lifecycle management with KEV-driven emergency patching, management-plane isolation using bastion hosts or ZTNA overlays, MFA rollout across VPN, admin and UCM surfaces, centralised log shipping with 13-month retention, nightly config backup and quarterly tested restore, and a 24/7 incident-response retainer that can be triggered the moment an indicator appears.
For businesses who hold or are working toward Cyber Essentials Plus under v3.3 (effective 27 April 2026), that same programme is what makes the difference between a clean certification and an auto-fail on the new “unpatched internet-facing critical CVE” trigger. And for businesses without certification, the programme produces the operational muscle to respond — this week, and every week — to the unavoidable reality that the edge is now the battlefield.
Perimeter at risk this week? Talk to Cloudswitched today.
A 30-minute discovery call identifies every Fortinet, Cisco, Ivanti, Citrix or SonicWall device in your estate, benchmarks your firmware against the current KEV catalogue, and produces an exposure score with a named remediation owner for each finding. No obligation, no jargon, no sales pressure — just an actionable view of where you stand.
Book a free perimeter reviewIndicators of compromise — quick reference
If you are checking your own logs today, the following are the highest-signal indicators reported by vendors and the NCSC in the last 72 hours. This is not an exhaustive list; treat any match as grounds for further investigation.
| Indicator | Where to look | What it suggests |
|---|---|---|
| POST requests to /api/v1/* with URL length > 2KB on FortiClient EMS | IIS / EMS HTTPS access log | Possible CVE-2026-35616 exploitation attempt |
| Unauthenticated POSTs to UCM admin web interface containing pipes, semicolons or backticks | Tomcat localhost_access log | Possible CVE-2026-20045 command injection |
| Outbound TLS from firewall or UCM to IPs not seen in last 90 days | Firewall netflow / UCM node netflow | Possible C2 callback |
| New local administrator account or scheduled task on EMS host | Windows Security Event Log, Task Scheduler history | Post-exploitation persistence |
| Unexpected process running as ccm service account on UCM node | UCM CLI: show process using-most cpu | Post-exploitation shell or tooling |
| Rotation of VPN local certificate not authorised by change control | Firewall configuration audit log | Credential-theft preparation |
Extracted from vendor advisories (Fortinet PSIRT, Cisco Security Advisory) and the NCSC joint advisory published 21 April 2026.
If you do not know whether your business runs any of the affected products — or if the answer is “our MSP handles that, we think we are fine” — treat this week as the moment to get the answer in writing. A named engineer, a dated firmware version, and a patch confirmation for every edge device in your estate. That list, held in your own records, is one of the single highest-value artefacts you will own when the next critical hits.
Frequently asked questions
Final word
Weeks like this one are not rare any more. They are the new baseline. The UK SMEs that will come out the other side of 2026 without a significant perimeter-origin incident will not be the ones with the biggest budgets, or the most expensive firewalls, or the loudest vendor branding. They will be the ones with an honest asset list, a 72-hour patching habit, a locked-down management plane, MFA on every remote door, and a managed partner who picks up the phone at 2am. None of that is glamorous. All of it is buildable. And all of it starts with knowing, today, exactly what sits at the edge of your network.
If you would like help producing that answer — quickly, honestly, and without sales pressure — Cloudswitched runs short discovery engagements designed specifically around this week’s events. The output is a one-page perimeter map, a remediation priority list, and a named owner for every finding. You keep the document whether you engage us further or not. Given what is already in flight across the UK threat landscape this week, it may be the most useful hour your IT team spends in April.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
