Detect Fortinet FortiClient EMS SQL Injection Exploitation (CVE-2026-21643) in Google Chronicle
Detects exploitation attempts targeting a SQL injection vulnerability in Fortinet FortiClient EMS (CVE-2026-21643). This KEV-listed vulnerability allows unauthenticated or authenticated attackers to inject malicious SQL statements into FortiClient EMS, potentially enabling data exfiltration, authentication bypass, or remote code execution via database-level commands such as xp_cmdshell.
MITRE ATT&CK
YARA-L Detection Query
rule fortinet_forticlient_ems_sqli_cve_2026_21643 {
meta:
author = "df00tech Detection Engineering"
description = "Detects SQL injection attempts targeting Fortinet FortiClient EMS (CVE-2026-21643)"
severity = "CRITICAL"
priority = "HIGH"
cve = "CVE-2026-21643"
mitre_attack = "T1190"
reference = "https://fortiguard.fortinet.com/psirt/FG-IR-25-1142"
events:
(
$e.metadata.event_type = "NETWORK_HTTP" or
$e.metadata.event_type = "NETWORK_CONNECTION"
)
(
re.regex($e.network.http.request_url, `(?i)(union\s+select|xp_cmdshell|waitfor\s+delay|sleep\s*\(|'\s*or\s+1\s*=\s*1|drop\s+table|exec\s*\(|cast\s*\(|convert\s*\()`) or
re.regex($e.network.http.request_body, `(?i)(union\s+select|xp_cmdshell|waitfor\s+delay|sleep\s*\(|'\s*or\s+1\s*=\s*1|drop\s+table|exec\s*\()`) or
re.regex($e.target.application, `(?i)(forticlient|fortiems)`)
)
$e.target.port in (443, 8013, 8014)
$src_ip = $e.principal.ip
condition:
$e
}Chronicle YARA-L 2.0 rule detecting SQL injection attempts against FortiClient EMS by matching known injection patterns in HTTP request URLs and bodies on EMS-specific ports.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing activities against EMS systems
- Vulnerability scanners with SQL injection test modules targeting the EMS management interface
- Legitimate EMS API calls with query parameters that partially match injection signatures
- Security monitoring tools that replay attack signatures for detection validation
Other platforms for CVE-2026-21643
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FortiClient EMS SQL Injection - Error-Based Detection
Expected signal: IIS log entry with 500 status code and SQL injection characters in cs-uri-query field; MSSQL Event ID 8152 or syntax error in ERRORLOG
- Test 2FortiClient EMS SQL Injection - UNION SELECT Data Extraction Simulation
Expected signal: IIS POST log with UNION SELECT in request body (cs-bytes > 0); MSSQL log showing column mismatch error if column count incorrect
- Test 3FortiClient EMS SQL Injection - xp_cmdshell RCE Simulation (Endpoint Telemetry)
Expected signal: Windows Security Event ID 4688 showing cmd.exe or whoami.exe spawned from sqlservr.exe; MSSQL audit log showing xp_cmdshell execution; CrowdStrike ProcessRollup2 event for cmd.exe with parent sqlservr.exe
- Test 4FortiClient EMS SQL Injection - Time-Based Blind Injection (WAITFOR DELAY)
Expected signal: IIS log showing POST request with 5+ second response time (sc-time-taken > 5000); network connection held open for duration of delay; no error response body
Unlock Pro Content
Get the full detection package for CVE-2026-21643 including response playbook, investigation guide, and atomic red team tests.