On March 3, 2026, the KRVTZ-NET IDS system detected network reconnaissance activity focused on Fortigate VPN devices. The key indicator was repeated GET requests to the /remote/logincheck endpoint, which is linked to CVE-2023-27997, a known vulnerability in Fortigate VPN products. This vulnerability enables unauthenticated attackers to bypass authentication mechanisms by sending specially crafted HTTP requests, potentially allowing unauthorized access to VPN infrastructure. The alerts identified IPv6 addresses (2001:470:2cc:1:a6e8:f796:a067:1973 and 2001:470:1:fb5:7ea6:eff6:a807:145b) as sources of these exploit attempts. Additionally, IPv4 addresses associated with scanning activity using the Naver Webcrawler User-Agent were observed, which might be benign or used as a cover for reconnaissance. No patches or fixes are currently available for this specific alert, and no active exploitation has been confirmed in the wild. The event is categorized as reconnaissance in the cyber kill chain, indicating early-stage information gathering rather than active exploitation or impact. The low severity rating reflects the current lack of confirmed exploitation and limited immediate threat. However, the presence of these scans suggests potential preparatory steps for future attacks targeting Fortigate VPN devices, which are critical components for secure remote access in many organizations. The alert serves as an observational indicator rather than evidence of active compromise. The data originates from the CIRCL OSINT Feed and is tagged for automated unsupervised processing, emphasizing its role in threat intelligence monitoring rather than incident response.

The primary impact of this threat lies in the potential exposure of Fortigate VPN devices to reconnaissance activities that could lead to exploitation attempts. If attackers successfully exploit CVE-2023-27997, they could bypass authentication controls, gaining unauthorized access to VPN infrastructure. This unauthorized access could compromise remote connectivity, leading to data breaches, lateral movement within internal networks, and disruption of secure communications. Although no active exploits are currently known, the reconnaissance activity signals increased attacker interest, which could escalate into active exploitation campaigns. Organizations relying on Fortigate VPN for secure remote access are at risk, especially if compensating controls or monitoring are not in place. The impact spans confidentiality, integrity, and availability of VPN services if exploited. The current scope is limited to reconnaissance with no direct compromise reported, resulting in a low immediate impact. However, failure to detect and mitigate this reconnaissance could enable attackers to prepare for more damaging attacks in the future. The use of webcrawler user agents for scanning may complicate detection efforts, increasing the risk of unnoticed reconnaissance.

1. Implement advanced network monitoring and intrusion detection rules specifically tuned to detect repeated GET requests to /remote/logincheck and similar suspicious endpoints on Fortigate VPN devices. 2. Apply rate limiting and IP reputation filtering to block or throttle traffic from known malicious IP addresses identified in the alerts, including the IPv6 addresses noted. 3. Segment VPN infrastructure from other critical network segments to contain potential breaches and limit lateral movement. 4. Harden Fortigate VPN configurations by disabling unnecessary services, enforcing strong authentication mechanisms such as multi-factor authentication, and regularly reviewing security settings. 5. Analyze VPN device logs continuously for anomalous access patterns and correlate findings with updated threat intelligence feeds for proactive defense. 6. Maintain close communication with Fortinet support and monitor security advisories to promptly apply patches or mitigations related to CVE-2023-27997 when they become available. 7. Conduct periodic penetration testing and vulnerability assessments focused on VPN infrastructure to identify and remediate weaknesses before attackers can exploit them. 8. Train security teams to recognize reconnaissance activity patterns and improve incident response readiness. 9. Deploy web application firewalls (WAF) or reverse proxies in front of VPN web portals to filter and block malicious HTTP requests targeting vulnerable endpoints. 10. Integrate updated threat intelligence feeds into security operations to enable timely detection and response to emerging threats targeting VPN infrastructure.