The KRVTZ-NET IDS alerts collected on February 13, 2026, via the CIRCL OSINT Feed, reveal a series of network reconnaissance activities primarily targeting Fortigate VPN devices and web-facing services. Central to these alerts is the detection of repeated GET requests to the /remote/logincheck endpoint on Fortigate VPNs, corresponding to attempts to exploit CVE-2023-27997. This vulnerability allows unauthenticated remote code execution, posing a significant risk as attackers could gain full control over VPN gateways, compromising secure remote access to corporate networks. The alerts also include IP addresses associated with scanning activities that use spoofed user-agent strings mimicking Google Webcrawler (Mediapartners-Google), suspicious Mozilla variants, and known scanning services like Censys. Additional probes target sensitive files such as hidden environment files and phpinfo pages, which can leak configuration details useful for further exploitation or privilege escalation. While no confirmed exploits in the wild are reported in this feed, the presence of these indicators suggests active reconnaissance and potential exploitation attempts. The alerts are categorized as low severity, reflecting the reconnaissance phase rather than confirmed intrusions. No patches are indicated as unavailable, but organizations should verify and apply the latest Fortigate VPN firmware updates. The feed lacks detailed affected version information and does not link to known threat actors or ransomware campaigns. Overall, the activity suggests early-stage attack reconnaissance with potential for escalation if vulnerabilities remain unpatched.

If successfully exploited, CVE-2023-27997 on Fortigate VPN devices could lead to remote code execution, allowing attackers to compromise VPN gateways that provide secure remote access to corporate networks. This could result in unauthorized access to internal systems, data exfiltration, lateral movement within networks, and disruption of critical services. The reconnaissance activities detected indicate that attackers are actively probing for weaknesses, which could precede more targeted and damaging attacks. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely on Fortigate VPN appliances face heightened risk. Additionally, scanning for environment files and phpinfo pages suggests attempts to gather sensitive configuration data, which could facilitate privilege escalation or further exploitation. Although the current severity is low due to the absence of confirmed exploitation, unpatched systems and insufficient monitoring could allow attackers to escalate their access, leading to significant confidentiality, integrity, and availability impacts.

1. Immediately verify and apply the latest security patches and firmware updates for Fortigate VPN appliances to remediate CVE-2023-27997. 2. Implement strict network segmentation and access controls around VPN gateways to minimize exposure to the internet and internal networks. 3. Deploy and fine-tune intrusion detection and prevention systems (IDS/IPS) to detect and block repeated suspicious requests to /remote/logincheck and other sensitive endpoints. 4. Monitor logs for anomalous user-agent strings and unusual HTTP requests indicative of reconnaissance or scanning activity, and establish alerting mechanisms. 5. Restrict access to sensitive files such as environment configuration files and phpinfo pages through web server configuration and access control policies. 6. Conduct regular vulnerability assessments and penetration testing focused on VPN infrastructure and web-facing services. 7. Educate security teams to recognize reconnaissance patterns and escalate alerts promptly to enable rapid response. 8. Enforce multi-factor authentication (MFA) on VPN access to reduce risk from compromised credentials. 9. Maintain updated threat intelligence feeds to stay informed about emerging exploits targeting Fortigate and related infrastructure. 10. Consider deploying web application firewalls (WAF) to filter and block malicious HTTP requests targeting web interfaces and VPN portals.