The KRVTZ-NET IDS alerts from 2026-03-07 indicate network reconnaissance activity primarily targeting Fortigate VPN devices. The key indicator IP addresses (2001:470:1:332::28 and 2001:470:1:c84::26) were observed making repeated GET requests to the /remote/logincheck endpoint, which is linked to CVE-2023-27997, a known vulnerability in Fortigate VPN appliances that could allow unauthorized access or remote code execution if successfully exploited. This vulnerability involves improper handling of login requests, enabling attackers to bypass authentication or cause denial of service. The alerts also include an IP (34.142.251.255) accessing PHP info pages on web servers, which can disclose sensitive environment and configuration details useful for further attacks. No patches or fixes are noted in this report, and no known exploits are currently active in the wild. The activity is categorized as reconnaissance, indicating attackers are probing targets to identify vulnerable systems. The lack of confirmed exploitation and the low severity rating suggest this is early-stage scanning rather than an active attack campaign. The data originates from the CIRCL OSINT feed, indicating open-source intelligence collection of suspicious network activity. The absence of affected versions or CVE assignment in the report implies this is an observation rather than a confirmed vulnerability report. The threat actors remain unidentified, and no ransomware or related campaigns are linked. Overall, this represents a low-level threat focused on identifying potential Fortigate VPN weaknesses and web server misconfigurations.

If successfully exploited, CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN devices, potentially leading to unauthorized network access, data exfiltration, or lateral movement within an organization’s network. Access to phpinfo pages can reveal detailed server configuration, including PHP version, loaded modules, environment variables, and paths, which attackers can leverage to craft targeted attacks or escalate privileges. Although no active exploits are reported, persistent reconnaissance increases the risk of future exploitation attempts. Organizations relying on Fortigate VPN appliances for secure remote access could face compromised VPN gateways, leading to exposure of internal resources. The impact on confidentiality and integrity is significant if exploitation occurs, while availability could also be affected through denial-of-service conditions. The low severity rating reflects the current reconnaissance stage and absence of known exploits but does not preclude escalation. The threat is particularly concerning for organizations with critical infrastructure, government networks, and enterprises with remote workforce dependencies. Failure to detect or mitigate these reconnaissance activities could enable attackers to prepare more sophisticated attacks, increasing overall risk.

1. Immediately review and apply any available patches or firmware updates from Fortinet addressing CVE-2023-27997 to eliminate the vulnerability. 2. Restrict access to Fortigate VPN management interfaces and login endpoints using IP whitelisting, VPN segmentation, or firewall rules to limit exposure to untrusted networks. 3. Implement multi-factor authentication (MFA) on VPN access to reduce the risk of unauthorized login even if the vulnerability is exploited. 4. Monitor VPN logs and IDS/IPS alerts for repeated or anomalous requests to /remote/logincheck and other suspicious endpoints to detect reconnaissance or brute-force attempts early. 5. Harden web servers by disabling or restricting access to phpinfo pages and other sensitive debug or configuration endpoints. 6. Conduct regular vulnerability assessments and penetration tests focusing on VPN and web server configurations to identify and remediate weaknesses. 7. Employ network segmentation to isolate VPN infrastructure from critical internal resources, limiting lateral movement opportunities. 8. Use threat intelligence feeds and automated detection tools to stay informed of emerging exploits related to Fortigate VPN and web server vulnerabilities. 9. Educate security teams on recognizing reconnaissance patterns and responding promptly to reduce dwell time of attackers. 10. Consider deploying web application firewalls (WAF) to detect and block malicious HTTP requests targeting known vulnerable endpoints.