The KRVTZ-NET IDS alerts dated 2026-02-26 highlight network reconnaissance activity targeting Fortinet FortiGate VPN devices. The alerts specifically identify repeated GET requests to the /remote/logincheck endpoint, which is associated with CVE-2023-27997, a known vulnerability in FortiGate VPNs that could allow unauthorized access or exploitation if successfully leveraged. The indicators include IPv6 addresses (2001:470:1:c84::19 and 2001:470:1:fb5:4709:6cd5:858c:48d) and an IPv4 address (185.177.72.60) exhibiting suspicious user-agent strings mimicking legitimate browsers but with anomalous versioning, suggesting automated scanning or probing tools. The activity is categorized as reconnaissance in the kill chain, indicating attackers are gathering information to identify vulnerable targets. No patches are currently linked in this report, and no known exploits in the wild have been confirmed, suggesting this is early-stage probing rather than active exploitation. The low severity rating reflects the preliminary nature of the threat, but the presence of these scans indicates persistent interest in FortiGate VPN vulnerabilities by threat actors. The CIRCL OSINT feed provides this data as part of ongoing monitoring of network activity and threat intelligence gathering.

If exploited, CVE-2023-27997 could allow attackers to bypass authentication or execute unauthorized actions on FortiGate VPN devices, potentially leading to unauthorized network access, data exfiltration, or lateral movement within an organization’s network. Although the current alerts indicate reconnaissance rather than active exploitation, persistent scanning increases the risk of successful attacks, especially if devices are unpatched or misconfigured. Organizations relying on FortiGate VPNs for remote access could face confidentiality breaches, integrity compromises, and availability disruptions if this vulnerability is exploited. The impact is heightened in sectors with critical infrastructure, government, finance, and enterprises with remote workforce dependencies. The low severity currently reflects the reconnaissance phase, but without mitigation, the threat could escalate to high-impact exploitation.

Organizations should immediately verify the patch status of their FortiGate VPN devices and apply any available security updates addressing CVE-2023-27997. Network defenders should enhance monitoring of VPN access logs and IDS/IPS alerts for repeated or anomalous requests to /remote/logincheck and suspicious user-agent strings indicative of automated scanning. Implementing rate limiting and geo-blocking for suspicious IP ranges can reduce exposure. Employ multi-factor authentication (MFA) on VPN access to mitigate unauthorized access risks. Conduct regular vulnerability assessments and penetration testing focused on VPN infrastructure. Additionally, organizations should subscribe to threat intelligence feeds like CIRCL OSINT to stay informed of emerging indicators and tactics. Network segmentation and strict access controls can limit lateral movement if compromise occurs. Finally, incident response plans should be updated to address potential exploitation scenarios involving FortiGate VPN vulnerabilities.