This threat report details IDS alerts indicating reconnaissance activity focused on two vulnerabilities: CVE-2025-55182 affecting React Server Components via unsafe Flight Protocol property access in React2Shell, and CVE-2023-27997 targeting Fortigate VPN devices through repeated GET requests to /remote/logincheck. The React vulnerability could allow arbitrary command execution or unauthorized data access, with no patch available. The Fortigate VPN vulnerability can enable authentication bypass or denial of service and has known exploits; patches are available and should be applied. The alerts include IP addresses linked to these exploit attempts, reflecting automated scanning consistent with the reconnaissance phase of an attack. Although no active exploitation campaigns are currently known, the reconnaissance activity increases the risk of future attacks. Organizations with public-facing React applications and Fortigate VPN infrastructure are at elevated risk, particularly those supporting remote access. The vendor advisory does not indicate patch availability for the React vulnerability but confirms patches for Fortigate VPN. Mitigation includes patching Fortigate VPN devices, monitoring and blocking suspicious traffic, and auditing React applications for unsafe code patterns.

Successful exploitation of CVE-2025-55182 could result in arbitrary code execution or unauthorized access to sensitive data within React Server Components, compromising confidentiality and integrity. Exploitation of CVE-2023-27997 could allow attackers to bypass VPN authentication, leading to unauthorized network access, potential lateral movement, data exfiltration, or denial of service impacting availability. The reconnaissance activity indicates attackers are actively identifying vulnerable targets, increasing the likelihood of future exploitation attempts. Organizations relying on Fortigate VPN appliances and React Server Components face elevated risks, particularly those with remote workforces or public-facing applications. The absence of a patch for the React vulnerability exacerbates the threat, while the Fortigate VPN vulnerability has known exploits, increasing urgency for mitigation. Overall, the threat could facilitate privilege escalation, network infiltration, and service disruption, impacting confidentiality, integrity, and availability.

For CVE-2023-27997 affecting Fortigate VPN devices, organizations should immediately apply the latest security patches provided by the vendor. Network administrators should monitor VPN login endpoints for abnormal repeated GET requests and implement rate limiting or web application firewall (WAF) rules to block suspicious traffic. For CVE-2025-55182 in React Server Components, no official patch is currently available; developers should audit application code to identify and remediate unsafe Flight Protocol property access, enforce strict input validation, and apply robust access controls. Deploy updated IDS/IPS signatures targeting these exploit attempts and conduct regular threat hunting and log analysis to detect reconnaissance activity early. Employ network segmentation to isolate critical systems and minimize exposure of VPN and React services. Use multi-factor authentication (MFA) on VPN access and monitor for anomalous authentication patterns. Maintain and test incident response plans including procedures for reconnaissance detection and exploitation attempts. Collaborate with threat intelligence providers to stay updated on emerging exploits and indicators.