The threat intelligence report from CIRCL OSINT Feed describes network reconnaissance activity involving repeated attempts to exploit CVE-2023-27997 in Fortigate VPN devices. This vulnerability allows unauthenticated attackers to bypass authentication and execute arbitrary commands via repeated GET requests to /remote/logincheck. Additional reconnaissance includes inbound requests to hidden environment files that may expose sensitive data and suspicious user-agent strings associated with InfoBot malware, indicating automated scanning. Although the vulnerability is publicly disclosed and patches are available, attackers continue probing for vulnerable systems. No confirmed active exploitation or ransomware campaigns are noted, but unpatched Fortigate VPNs remain at risk of significant compromise if exploited.

Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN devices, potentially leading to unauthorized internal network access, data breaches, lateral movement, and further compromise. Reconnaissance targeting hidden environment files may expose sensitive configuration or credential information, increasing the risk of subsequent attacks. Suspicious InfoBot user-agent activity suggests automated scanning that could precede targeted attacks or malware deployment. Current activity is low-severity reconnaissance without known active exploits in the wild, but unpatched or exposed Fortigate VPNs remain vulnerable to significant compromise if exploited.

A fix for CVE-2023-27997 is available; organizations should ensure all Fortigate VPN devices are updated to the latest firmware versions addressing this vulnerability. Network administrators should monitor IDS/IPS alerts for repeated requests to /remote/logincheck and investigate suspicious activity promptly. Access to VPN management interfaces should be restricted to trusted IP addresses, and multi-factor authentication should be implemented to reduce unauthorized access risk. Web servers must be configured to deny access to hidden environment files using proper permissions and server rules. Deploying web application firewalls (WAFs) to detect and block suspicious requests targeting vulnerable endpoints is recommended. Regularly audit logs for suspicious user-agent strings like InfoBot and block malicious IP addresses at the firewall. Conduct threat hunting focused on reconnaissance indicators and maintain up-to-date threat intelligence feeds to stay informed of emerging threats.