This threat intelligence report details network reconnaissance activity detected by KRVTZ-NET IDS on March 1, 2026, targeting Fortinet FortiGate VPN devices. The activity involves repeated GET requests to the /remote/logincheck endpoint, linked to CVE-2023-27997, a vulnerability that may allow authentication bypass or arbitrary code execution. The source IP 64.62.156.122 was identified conducting these scans, suggesting attempts to find vulnerable FortiGate VPNs. Although no exploitation has been confirmed, the reconnaissance phase is a precursor to potential attacks. There is currently no patch available for CVE-2023-27997, which increases exposure risk. FortiGate VPNs are extensively used worldwide, including in critical sectors, making this reconnaissance relevant for a broad range of organizations. The report emphasizes the importance of early detection and proactive defense measures.

If exploited, CVE-2023-27997 could allow attackers to bypass authentication or execute arbitrary code on FortiGate VPN devices, potentially leading to unauthorized network access, data exfiltration, lateral movement, disruption of remote access services, and compromise of sensitive systems. The reconnaissance activity itself does not cause direct harm but indicates attacker intent and preparation. The lack of an available patch extends the risk period. The widespread use of FortiGate VPNs globally, including in government and critical infrastructure sectors, amplifies the potential impact. No known exploits in the wild have been reported at this time.

Currently, no patch is available for CVE-2023-27997. Organizations should monitor network traffic for repeated or anomalous GET requests to /remote/logincheck and other FortiGate VPN endpoints to detect reconnaissance early. Restrict access to FortiGate VPN management interfaces using strict access controls and network segmentation to reduce exposure. Enforce multi-factor authentication on VPN access to mitigate risks from credential compromise. Deploy and maintain IDS/IPS systems with updated signatures capable of detecting reconnaissance and exploit attempts targeting FortiGate devices. Harden FortiGate VPN configurations by disabling unnecessary services, enforcing strong password policies, and limiting administrative access. Subscribe to up-to-date threat intelligence feeds to stay informed about emerging threats. Train security teams to recognize reconnaissance indicators and respond promptly. Apply Fortinet security advisories and patches immediately once they become available for this vulnerability.