alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortigate Forticlient EMS HTTP Site Header SQL injection attempt (CVE-2026-21643)"; flow:established,to_server; http.uri; content:"/api/v1/"; startswith; fast_pattern; pcre:"/^(?:init_consts|auth\x2fsignin)$/R"; http.header; content:"Site|3a 20|"; pcre:"/^[^<]*?(?:'|%27|-{2}|%2d%2d)?(?:(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/Ri"; reference:cve,2026-21643; reference:url,bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4; classtype:attempted-admin; sid:2068447; rev:1; metadata:affected_product FortiClient_EMS, attack_target Server, tls_state plaintext, created_at 2026_03_26, cve CVE_2026_21643, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)