The KRVTZ-NET IDS alerts from March 3, 2026, report network reconnaissance activity focused on Fortigate VPN devices, specifically repeated GET requests to the /remote/logincheck endpoint associated with CVE-2023-27997. This vulnerability enables unauthenticated attackers to bypass authentication mechanisms on Fortigate VPNs. The reconnaissance was observed from IPv6 addresses 2001:470:2cc:1:a6e8:f796:a067:1973 and 2001:470:1:fb5:7ea6:eff6:a807:145b, with additional scanning from IPv4 addresses using the Naver Webcrawler User-Agent. No active exploitation or confirmed breaches are reported. No patches or fixes are currently available for this vulnerability. The activity is categorized as reconnaissance in the cyber kill chain, indicating preparatory information gathering rather than active exploitation or impact. The low severity reflects the current absence of active exploitation but highlights potential risk to VPN infrastructure.

The primary impact is the exposure of Fortigate VPN devices to reconnaissance activities that could precede exploitation attempts of CVE-2023-27997. Successful exploitation would allow attackers to bypass authentication controls, potentially gaining unauthorized access to VPN infrastructure. This could compromise confidentiality, integrity, and availability of remote access services, enabling data breaches, lateral movement, and disruption of secure communications. Currently, no active exploitation is confirmed, so the immediate impact is low. However, failure to detect and mitigate reconnaissance could enable attackers to prepare for future attacks. The use of webcrawler user agents for scanning may complicate detection efforts, increasing the risk of unnoticed reconnaissance.

No official patch or fix is currently available for this vulnerability. Organizations should implement advanced network monitoring and intrusion detection rules to identify repeated GET requests to /remote/logincheck and similar suspicious activity on Fortigate VPN devices. Apply rate limiting and IP reputation filtering to block or throttle traffic from known malicious IP addresses identified in the alerts. Segment VPN infrastructure to limit potential breach impact. Harden Fortigate VPN configurations by disabling unnecessary services and enforcing strong authentication such as multi-factor authentication. Continuously analyze VPN logs for anomalous access patterns and correlate with updated threat intelligence. Maintain communication with Fortinet support and monitor advisories for future patches or mitigations related to CVE-2023-27997. Deploy web application firewalls or reverse proxies in front of VPN portals to filter malicious HTTP requests. Train security teams to recognize reconnaissance patterns and improve incident response readiness. Integrate updated threat intelligence feeds for timely detection and response.