This threat intelligence report details network reconnaissance activity detected by KRVTZ-NET IDS on 2026-03-07. The key technical indicators are IP addresses performing repeated GET requests to the /remote/logincheck endpoint on Fortigate VPN devices, linked to CVE-2023-27997, a vulnerability involving improper handling of login requests that may allow authentication bypass or denial of service. Another indicator is an IP accessing phpinfo pages on web servers, which can reveal detailed server environment information useful for attackers. No affected versions or CVE assignment are explicitly listed in the report, and no known exploits in the wild are reported. The activity is categorized as low severity and reconnaissance phase, signaling potential preparatory steps for future attacks targeting Fortigate VPN vulnerabilities and web server misconfigurations.

Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN devices, potentially leading to unauthorized network access, data breaches, lateral movement, and compromise of sensitive resources. Access to phpinfo pages discloses critical server configuration details that attackers can leverage for targeted exploits or privilege escalation. Although no active exploits are currently reported, ongoing reconnaissance increases the risk of future exploitation attempts. The confidentiality and integrity of affected networks could be significantly impacted, and availability might be affected through denial-of-service conditions. The current low severity rating reflects the reconnaissance stage and absence of known active exploits but does not eliminate the potential for escalation.

No official patches or fixes are noted in the report for CVE-2023-27997. Recommended mitigations include monitoring VPN logs and IDS/IPS alerts for anomalous requests to /remote/logincheck to detect reconnaissance or brute-force attempts early; restricting access to Fortigate VPN management interfaces and login endpoints via IP whitelisting, segmentation, or firewall rules; implementing multi-factor authentication on VPN access; hardening web servers by disabling or restricting access to phpinfo pages; conducting regular vulnerability assessments and penetration tests focusing on VPN and web server configurations; employing network segmentation to isolate VPN infrastructure; staying informed through threat intelligence feeds about emerging exploits; educating security teams to recognize reconnaissance patterns; deploying web application firewalls to block malicious HTTP requests targeting vulnerable endpoints; and engaging with Fortinet support and community channels to track and apply patches promptly once available.