The KRVTZ-NET IDS alerts from 2026-02-18 report reconnaissance activity targeting Fortigate VPN devices, specifically repeated GET requests to the /remote/logincheck endpoint. This behavior aligns with attempts to exploit CVE-2023-27997, a known vulnerability in Fortigate VPNs that allows unauthenticated attackers to bypass authentication and potentially execute arbitrary commands. Although no direct exploitation has been confirmed in this alert, the repeated requests indicate scanning or probing activity by threat actors. Additionally, network traffic associated with the SysJoker malware was detected, identified by its unique User-Agent string. SysJoker is a known malware family that can establish persistence and facilitate further compromise. The presence of these indicators suggests that attackers are conducting reconnaissance and possibly preparing for exploitation or malware deployment. No patches are indicated as unavailable, but the original CVE has vendor patches. The alert is categorized as low severity due to the reconnaissance phase and absence of confirmed active exploitation or ransomware use. The technical details include IP addresses involved in the activity, one IPv6 address linked to the Fortigate VPN exploit attempts and one IPv4 address connected to SysJoker malware traffic. This intelligence is sourced from the CIRCL OSINT feed and tagged for automated unsupervised processing, emphasizing its role as an observation rather than a confirmed incident. Organizations should interpret this as a warning to monitor for similar activity and ensure their Fortigate VPNs are patched and secured.

For European organizations, the primary impact of this threat lies in the potential compromise of Fortigate VPN devices, which are widely used to provide secure remote access. Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication, gain unauthorized access to internal networks, and execute arbitrary commands, leading to data breaches, lateral movement, and disruption of services. The reconnaissance activity indicates that attackers are actively scanning for vulnerable devices, increasing the risk of exploitation if defenses are not hardened. The detection of SysJoker malware-related traffic further raises concerns about possible malware infections following initial access. This could result in persistent backdoors, data exfiltration, or deployment of additional payloads. The overall impact includes confidentiality breaches, integrity violations, and potential availability disruptions. Given the low severity and reconnaissance nature, immediate damage is unlikely but the threat represents a precursor to more severe attacks. European enterprises with remote workforce reliance on Fortigate VPNs, especially in critical infrastructure, finance, and government sectors, face elevated risk. Failure to address these reconnaissance attempts could lead to successful intrusions with significant operational and reputational consequences.

1. Ensure all Fortigate VPN devices are updated with the latest security patches addressing CVE-2023-27997 to eliminate the vulnerability. 2. Implement strict monitoring and alerting on VPN login endpoints, specifically /remote/logincheck, to detect repeated or anomalous access attempts indicative of brute force or exploitation attempts. 3. Employ network segmentation to isolate VPN infrastructure from critical internal systems, limiting lateral movement in case of compromise. 4. Use multi-factor authentication (MFA) on VPN access to reduce the risk of unauthorized access even if authentication bypass is attempted. 5. Conduct regular threat hunting and log analysis for indicators related to SysJoker malware, including unusual User-Agent strings and suspicious outbound connections. 6. Harden VPN configurations by disabling unnecessary services and enforcing strong password policies. 7. Deploy intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect and block exploit attempts and malware traffic. 8. Educate security teams on the latest threat intelligence from CIRCL and similar feeds to maintain situational awareness. 9. Consider implementing honeypots or deception technologies to detect and analyze attacker reconnaissance behavior. 10. Review and update incident response plans to include scenarios involving VPN exploitation and malware infection.