The KRVTZ-NET IDS alerts dated January 31, 2026, detail a series of reconnaissance activities detected via intrusion detection systems and aggregated by the CIRCL OSINT Feed. The alerts highlight multiple IP addresses engaging in suspicious scanning and probing behaviors. Notably, the IP 2001:470:2cc:1::27f is associated with repeated GET requests to the /remote/logincheck endpoint on Fortigate VPN devices, attempting to exploit CVE-2023-27997. This vulnerability allows unauthorized access or denial of service through crafted HTTP requests targeting Fortigate VPN's remote login interface. Other IPs are linked to HTTP User-Agent scanning (e.g., Censys scanners) and probes targeting hidden environment files and git repositories, which attackers commonly use to gather intelligence on system configurations and source code. The alert is classified as low severity and corresponds to the reconnaissance phase of the cyber kill chain, indicating attackers are gathering information rather than executing active exploitation. There are no patches directly linked to this alert, and no known exploits in the wild have been reported for these specific activities. The lack of affected versions and confirmed exploitation suggests this is an observation of ongoing scanning rather than an active breach. The presence of multiple IPs performing diverse reconnaissance techniques suggests a broad, possibly automated scanning campaign aimed at identifying vulnerable Fortigate VPN endpoints and other web services. This intelligence is valuable for defenders to enhance detection and response capabilities.

For European organizations, the primary impact lies in the reconnaissance activities targeting Fortigate VPN devices and web infrastructure. If CVE-2023-27997 is successfully exploited, attackers could gain unauthorized access, cause data leakage, or disrupt remote access services via denial of service, impacting business continuity. Organizations in critical sectors such as finance, government, healthcare, and critical infrastructure are particularly vulnerable due to their reliance on Fortigate VPN for secure remote access. Although no active exploitation is currently reported, the scanning activity indicates an increased risk of future attacks. Reconnaissance can also facilitate targeted phishing or credential stuffing campaigns if attackers gather sufficient information. Additionally, probes for hidden environment files and git repositories suggest attackers seek sensitive configuration or source code data, which could enable further attacks or intellectual property theft. The overall impact on confidentiality, integrity, and availability could escalate if reconnaissance leads to successful exploitation.

European organizations should implement targeted mitigation strategies beyond generic advice. First, ensure all Fortigate VPN devices are updated with the latest security patches addressing CVE-2023-27997 and related vulnerabilities. If patches are unavailable, apply configuration changes to restrict access to the /remote/logincheck endpoint, such as IP whitelisting, rate limiting, or enforcing multi-factor authentication. Deploy advanced intrusion detection and prevention systems tuned to detect repeated GET requests and anomalous user-agent strings indicative of scanning activity. Monitor VPN logs closely for unusual login attempts or repeated failed authentications. Harden web servers by disabling access to hidden environment files and securing git repositories, preferably restricting them to internal networks only. Employ network segmentation to isolate VPN infrastructure from critical assets, reducing lateral movement risk. Conduct regular threat hunting exercises using the provided IP indicators to identify potential compromises early. Finally, raise awareness among security teams about the reconnaissance nature of these alerts to improve incident response readiness and reduce dwell time in case of escalation.