The KRVTZ-NET IDS alerts dated 2026-02-18 reveal reconnaissance activity focused on Fortigate VPN devices, specifically through repeated GET requests to the /remote/logincheck endpoint. This behavior aligns with attempts to exploit CVE-2023-27997, a known vulnerability in Fortigate VPNs that permits unauthenticated attackers to bypass authentication mechanisms and potentially execute arbitrary commands on the device. While no active exploitation has been confirmed in this alert, the repeated requests indicate scanning or probing activity by malicious actors seeking vulnerable targets. Concurrently, traffic associated with the SysJoker malware family was observed, identified by its distinctive User-Agent string. SysJoker is known for establishing persistence and enabling further compromise within infected networks. The presence of these indicators suggests attackers are conducting reconnaissance and possibly preparing for exploitation or malware deployment. No new patches are indicated as unavailable; however, vendor patches for CVE-2023-27997 exist and should be applied. The alert is classified as low severity due to its reconnaissance phase and lack of confirmed exploitation or ransomware activity. The technical details include IP addresses involved in the activity: an IPv6 address linked to Fortigate VPN exploit attempts and an IPv4 address connected to SysJoker malware traffic. This intelligence is sourced from the CIRCL OSINT feed and tagged for automated unsupervised processing, emphasizing its role as an observation rather than a confirmed incident. Organizations should interpret this as an early warning to monitor for similar activity and ensure their Fortigate VPNs are patched and secured.

The primary impact of this threat lies in the potential compromise of Fortigate VPN devices, which are widely used to provide secure remote access, especially in European organizations. Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication controls, gain unauthorized access to internal networks, and execute arbitrary commands, potentially leading to data breaches, lateral movement within networks, and disruption of critical services. The reconnaissance activity indicates that attackers are actively scanning for vulnerable devices, increasing the risk of exploitation if defenses are not hardened. The detection of SysJoker malware-related traffic raises concerns about possible malware infections following initial access, which could result in persistent backdoors, data exfiltration, or deployment of additional malicious payloads. Overall, the threat could compromise confidentiality, integrity, and availability of affected systems. Although the current alert is low severity and reconnaissance-focused, failure to address these attempts could lead to successful intrusions with significant operational and reputational consequences, particularly for organizations in critical infrastructure, finance, and government sectors.

1. Immediately apply all available security patches from Fortinet addressing CVE-2023-27997 to eliminate the vulnerability. 2. Implement continuous monitoring and alerting on VPN login endpoints, especially /remote/logincheck, to detect repeated or anomalous access attempts indicative of brute force or exploitation attempts. 3. Enforce multi-factor authentication (MFA) for all VPN access to mitigate risks from authentication bypass attempts. 4. Segment VPN infrastructure from critical internal networks to limit lateral movement in case of compromise. 5. Conduct proactive threat hunting and detailed log analysis for indicators related to SysJoker malware, including unusual User-Agent strings and suspicious outbound connections. 6. Harden VPN configurations by disabling unnecessary services, enforcing strong password policies, and restricting access to trusted IP ranges where feasible. 7. Deploy and maintain updated intrusion detection/prevention systems (IDS/IPS) with signatures capable of detecting Fortigate exploit attempts and SysJoker malware traffic. 8. Educate security teams on emerging threat intelligence from CIRCL and similar feeds to maintain situational awareness. 9. Consider deploying deception technologies or honeypots to detect and analyze attacker reconnaissance behavior early. 10. Update incident response plans to include scenarios involving VPN exploitation and malware infection, ensuring readiness for rapid containment and remediation.