The KRVTZ-NET IDS alerts from March 1, 2026, report network reconnaissance activity targeting Fortinet FortiGate VPN devices by monitoring repeated GET requests to the /remote/logincheck endpoint. This endpoint is linked to CVE-2023-27997, a vulnerability that allows attackers to bypass authentication or execute arbitrary code under certain conditions. The alerts identify the source IP 64.62.156.122 as conducting these repeated requests, indicating attempts to identify vulnerable FortiGate VPN instances. Although no active exploitation or confirmed breaches have been observed, the reconnaissance phase is a critical precursor to potential attacks. The vulnerability currently lacks an available patch, increasing the risk window. FortiGate VPNs are extensively used worldwide for secure remote access, particularly in sensitive sectors such as government and critical infrastructure. The reconnaissance activity suggests attackers are actively scanning for vulnerable devices to exploit once patches or exploits become available. The event is categorized under network activity and OSINT, emphasizing its role in early threat detection. The low severity rating reflects limited immediate impact but underscores the importance of monitoring and preparedness. The threat intelligence is sourced from the CIRCL OSINT Feed, providing timely and actionable insights for defenders.

If exploited, CVE-2023-27997 could allow attackers to bypass authentication mechanisms or execute arbitrary code on FortiGate VPN devices, leading to unauthorized access to internal networks. This could result in data exfiltration, lateral movement within networks, disruption of secure remote access services, and compromise of sensitive systems. Organizations relying on FortiGate VPNs for remote connectivity, including government agencies, enterprises, and critical infrastructure operators, face significant risks. The reconnaissance activity itself does not cause direct harm but signals attackers' intent and preparation for exploitation. Failure to detect or respond to such probing increases the likelihood of successful attacks once exploit code or patches become available. The widespread deployment of FortiGate VPNs globally amplifies the potential impact, making this a threat of international concern. Operational disruptions, data breaches, and loss of trust are possible consequences if the vulnerability is exploited.

1. Continuously monitor network traffic for repeated or anomalous GET requests to /remote/logincheck and other FortiGate VPN endpoints to detect reconnaissance early. 2. Restrict access to FortiGate VPN management interfaces by implementing strict access controls and network segmentation, limiting exposure to the internet. 3. Apply Fortinet security advisories and patches promptly once they become available for CVE-2023-27997 to remediate the vulnerability. 4. Enforce multi-factor authentication (MFA) on VPN access to mitigate risks from credential compromise. 5. Deploy and maintain IDS/IPS systems with updated signatures capable of detecting known reconnaissance and exploit attempts targeting FortiGate devices. 6. Conduct regular vulnerability assessments and penetration testing focused on VPN infrastructure to identify and remediate weaknesses. 7. Harden FortiGate VPN configurations by disabling unnecessary services, enforcing strong password policies, and limiting administrative access. 8. Subscribe to up-to-date threat intelligence feeds to stay informed about emerging threats and exploitation techniques targeting FortiGate VPNs. 9. Train security teams to recognize reconnaissance indicators and respond swiftly to suspicious activity, ensuring early intervention before exploitation. These targeted measures focus on early detection of reconnaissance patterns and proactive hardening of FortiGate VPN environments beyond generic security advice.