The KRVTZ-NET IDS alerts from 2026-02-15 highlight network reconnaissance activities primarily targeting Fortigate VPN devices via repeated GET requests to the /remote/logincheck endpoint, associated with CVE-2023-27997. This CVE corresponds to a vulnerability in Fortinet FortiOS VPN that allows unauthenticated attackers to perform repeated login check requests, potentially leading to unauthorized access or denial of service. The alerts include multiple IP addresses identified as sources of these exploit attempts, including IPv6 and IPv4 addresses. Additionally, some IPs are linked to HTTP User-Agent scanning (notably from Censys scanners) and requests to hidden environment files, which are common reconnaissance techniques to gather information about target systems. The event is categorized as reconnaissance in the kill chain, indicating early-stage attacker behavior. No patches are indicated as unavailable, but the report does not confirm patch status for affected systems. There are no known exploits actively used in the wild or ransomware campaigns linked to these alerts at this time. The severity is marked low, reflecting the reconnaissance nature rather than active exploitation. However, the presence of multiple scanning and probing IPs suggests persistent interest in Fortigate VPN infrastructure, which is widely used in enterprise and governmental networks globally, including Europe. The lack of authentication requirement for the observed activity increases the risk profile, as attackers can probe remotely without credentials. The technical details include a unique UUID and timestamp for correlation. Overall, this intelligence points to ongoing scanning activity that could be a precursor to exploitation attempts if vulnerabilities remain unmitigated.

For European organizations, the primary impact of this threat lies in the potential compromise of Fortigate VPN devices if the CVE-2023-27997 vulnerability is exploited successfully. Fortigate VPNs are widely deployed across Europe in both private sector enterprises and public sector institutions, including critical infrastructure and government networks. Successful exploitation could lead to unauthorized access, data exfiltration, disruption of VPN services, and lateral movement within networks. Even though current activity is reconnaissance and scanning, persistent probing increases the risk of eventual exploitation. The exposure of hidden environment files through inbound requests could reveal sensitive configuration or credential information if such files are accessible, further increasing risk. The threat could disrupt secure remote access capabilities, impacting business continuity and confidentiality of communications. Given the low current severity but potential for escalation, organizations must treat this as an early warning. The impact is heightened in countries with large Fortinet market shares and critical infrastructure reliance on VPNs for secure remote access. Additionally, the presence of scanning IPs from diverse geolocations indicates a broad targeting scope, which may include European networks. The reconnaissance phase is often a precursor to more damaging attacks such as ransomware or data breaches, so early detection and mitigation are crucial to prevent escalation.

1. Verify and apply all available patches and firmware updates from Fortinet addressing CVE-2023-27997 and related vulnerabilities immediately. 2. Implement strict network segmentation and restrict VPN management interfaces to trusted IP addresses only, preferably via VPN or internal networks. 3. Deploy and tune IDS/IPS systems to detect and alert on repeated GET requests to /remote/logincheck and other suspicious VPN login activity. 4. Monitor logs for unusual access patterns, especially from the identified IP addresses and similar scanning sources, and block or throttle suspicious IPs at the firewall. 5. Conduct regular vulnerability assessments and penetration testing focused on VPN infrastructure to identify and remediate weaknesses proactively. 6. Harden VPN configurations by enforcing multi-factor authentication, strong password policies, and limiting concurrent sessions. 7. Review and secure access to environment and configuration files to prevent unauthorized exposure. 8. Educate security teams on recognizing reconnaissance indicators and escalating incidents promptly. 9. Consider deploying web application firewalls (WAF) or reverse proxies to filter and block malicious HTTP requests targeting VPN endpoints. 10. Collaborate with threat intelligence providers to stay updated on emerging threats and indicators related to Fortigate VPN exploitation attempts.