This threat intelligence documents network reconnaissance activities observed on 2026-03-15, involving multiple IP addresses performing suspicious actions such as accessing PHP info pages on web servers, probing git repositories via HTTP, and repeated GET requests to the Fortigate VPN login endpoint (/remote/logincheck) linked to CVE-2023-27997. These actions represent information gathering efforts by attackers to identify exploitable systems. The alerts derive from the CIRCL OSINT feed and are classified as low severity with no known active exploits or ransomware campaigns. The presence of both IPv4 and IPv6 addresses indicates global scanning activity. No affected software versions or patches are specified, and no direct exploit code is included. The intelligence highlights typical reconnaissance patterns that could lead to targeted attacks if vulnerabilities are not addressed.

The immediate impact is low as the activity is limited to reconnaissance without confirmed exploitation. However, the information gathered through accessing PHP info pages and git repositories could reveal sensitive configuration details or source code, facilitating future attacks. The repeated attempts to access the Fortigate VPN login endpoint suggest targeting of a known vulnerability (CVE-2023-27997), which if exploited, could allow unauthorized VPN access, compromising network confidentiality and integrity. Organizations using Fortigate VPN appliances or running vulnerable web servers globally are at risk of follow-on attacks. The reconnaissance phase is preparatory but critical in the attack lifecycle, increasing the likelihood of successful breaches if unmitigated.

No official patch is indicated in this alert; however, organizations should ensure Fortigate VPN devices are updated with the latest security patches addressing CVE-2023-27997 to prevent exploitation. Restrict or disable access to sensitive web server endpoints such as phpinfo pages and git repositories to reduce information leakage. Deploy web application firewalls (WAFs) and intrusion detection/prevention systems to detect and block unauthorized scanning and probing attempts. Implement targeted monitoring for suspicious network activity and automate blocking of offending IP addresses. Conduct regular vulnerability assessments and penetration testing to identify and remediate exposed services. Network segmentation and comprehensive incident response plans should be maintained to quickly address reconnaissance and potential exploitation attempts. These measures specifically address the observed indicators and attack vectors.