The KRVTZ-NET IDS alerts dated February 26, 2026, highlight network reconnaissance activity targeting Fortinet FortiGate VPN devices. Specifically, the alerts identify repeated GET requests to the /remote/logincheck endpoint, which is linked to CVE-2023-27997, a known vulnerability in FortiGate VPNs that could allow attackers to bypass authentication or perform unauthorized actions if exploited. The indicators include IPv6 addresses (2001:470:1:c84::19 and 2001:470:1:fb5:4709:6cd5:858c:48d) and an IPv4 address (185.177.72.60) exhibiting suspicious user-agent strings that mimic legitimate browsers but contain anomalous versioning, suggesting automated scanning or probing tools. This activity is categorized as reconnaissance in the cyber kill chain, indicating attackers are gathering information to identify vulnerable targets. No patches are currently linked in this report, and no known exploits in the wild have been confirmed, suggesting this is early-stage probing rather than active exploitation. The low severity rating reflects the preliminary nature of the threat; however, the presence of these scans indicates persistent interest in FortiGate VPN vulnerabilities by threat actors. FortiGate VPNs are widely deployed globally for secure remote access, making this reconnaissance significant for organizations relying on these devices. The CIRCL OSINT feed provides this data as part of ongoing monitoring of network activity and threat intelligence gathering.

If exploited, CVE-2023-27997 could allow attackers to bypass authentication mechanisms on FortiGate VPN devices, potentially granting unauthorized access to internal networks. This could lead to data exfiltration, lateral movement within the network, and compromise of sensitive information. Organizations relying on FortiGate VPNs for remote access could face breaches of confidentiality, integrity, and availability. The reconnaissance activity increases the risk of successful exploitation, especially if devices are unpatched or misconfigured. Critical sectors such as government, finance, healthcare, and enterprises with remote workforces are particularly vulnerable due to their reliance on VPN infrastructure. Persistent scanning activity may also indicate preparation for more sophisticated attacks. While no active exploitation is currently observed, failure to mitigate could escalate the threat to high-impact incidents involving unauthorized network access and potential disruption of services.

Organizations should immediately verify and apply any available patches addressing CVE-2023-27997 on FortiGate VPN devices. In the absence of patches, implement compensating controls such as multi-factor authentication (MFA) on VPN access to reduce unauthorized access risks. Enhance monitoring of VPN access logs and IDS/IPS alerts for repeated or anomalous requests to /remote/logincheck and suspicious user-agent strings indicative of automated scanning. Deploy rate limiting on VPN endpoints to mitigate brute-force or scanning attempts. Implement geo-blocking or IP reputation filtering to restrict access from suspicious IP ranges identified in threat intelligence feeds. Conduct regular vulnerability assessments and penetration testing focused on VPN infrastructure to identify and remediate weaknesses. Network segmentation should be enforced to limit lateral movement in case of compromise. Subscribe to threat intelligence feeds like CIRCL OSINT for timely updates on emerging indicators and tactics. Finally, update incident response plans to include scenarios involving FortiGate VPN exploitation and ensure readiness for rapid containment and remediation.