Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643)
Detects exploitation attempts targeting a SQL injection vulnerability in Fortinet FortiClient EMS (CVE-2026-21643). This KEV-listed vulnerability allows unauthenticated or authenticated attackers to inject malicious SQL statements into FortiClient EMS, potentially enabling data exfiltration, authentication bypass, or remote code execution via database-level commands such as xp_cmdshell.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Fortinet
- Product
- FortiClient EMS
Weakness (CWE)
Timeline
- Disclosed
- April 13, 2026
References & Proof of Concept
CVSS
What is CVE-2026-21643 Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643)?
Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643) (CVE-2026-21643) maps to the Initial Access and Credential Access and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, Event, Syslog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SQLInjectionPatterns = dynamic(["' OR ", "' AND ", "UNION SELECT", "1=1", "xp_cmdshell", "EXEC(", "CAST(", "CONVERT(", "WAITFOR DELAY", "SLEEP(", "--", "/*", "*/", "DROP TABLE", "INSERT INTO", "UPDATE SET", "DELETE FROM"]);
let FortiClientEMSPorts = dynamic([443, 8013, 8014]);
union
(
CommonSecurityLog
| where DeviceVendor =~ "Fortinet" and DeviceProduct =~ "FortiClient EMS"
| where Message has_any (SQLInjectionPatterns)
| extend ParsedMessage = Message
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Message, DeviceVendor, DeviceProduct, Activity
| extend DetectionSource = "FortiClient EMS Log"
),
(
W3CIISLog
| where csHost has_any ("ems", "forticlient")
| where csUriStem has_any (SQLInjectionPatterns) or csUriQuery has_any (SQLInjectionPatterns)
| project TimeGenerated, cIP, csHost, csUriStem, csUriQuery, scStatus, csUserAgent
| extend DetectionSource = "IIS Web Log"
),
(
Event
| where Source == "MSSQLSERVER" or Source == "MSSQL$"
| where EventID in (18456, 8152, 208, 207, 102)
| where RenderedDescription has_any (SQLInjectionPatterns)
| project TimeGenerated, Computer, Source, EventID, RenderedDescription
| extend DetectionSource = "MSSQL Error Log"
)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIP = coalesce(SourceIP, cIP, Computer), DetectionSource
| where Count >= 1
| extend Severity = "High", CVE = "CVE-2026-21643"Detects SQL injection patterns in FortiClient EMS logs, IIS web logs, and MSSQL error events. Covers common payloads including UNION-based, boolean-based, time-based blind, and xp_cmdshell execution attempts.
Data Sources
Required Tables
False Positives
- Penetration testing or authorized vulnerability scanning against FortiClient EMS
- Legitimate database maintenance scripts containing SQL-like patterns in log output
- Security product scanning that generates SQL-like patterns in HTTP parameters
- URL-encoded legitimate parameters that partially match injection signatures
Sigma rule & cross-platform mapping
The detection logic for Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643) (CVE-2026-21643) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-21643
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FortiClient EMS SQL Injection - Error-Based Detection
Expected signal: IIS log entry with 500 status code and SQL injection characters in cs-uri-query field; MSSQL Event ID 8152 or syntax error in ERRORLOG
- Test 2FortiClient EMS SQL Injection - UNION SELECT Data Extraction Simulation
Expected signal: IIS POST log with UNION SELECT in request body (cs-bytes > 0); MSSQL log showing column mismatch error if column count incorrect
- Test 3FortiClient EMS SQL Injection - xp_cmdshell RCE Simulation (Endpoint Telemetry)
Expected signal: Windows Security Event ID 4688 showing cmd.exe or whoami.exe spawned from sqlservr.exe; MSSQL audit log showing xp_cmdshell execution; CrowdStrike ProcessRollup2 event for cmd.exe with parent sqlservr.exe
- Test 4FortiClient EMS SQL Injection - Time-Based Blind Injection (WAITFOR DELAY)
Expected signal: IIS log showing POST request with 5+ second response time (sc-time-taken > 5000); network connection held open for duration of delay; no error response body
Unlock Pro Content
Get the full detection package for CVE-2026-21643 including response playbook, investigation guide, and atomic red team tests.