This intelligence report details IDS alerts capturing reconnaissance activity on 2026-03-17 involving multiple IPs scanning networks with various user agents, including Naver webcrawler and suspicious bots. A critical indicator is an IPv6 address repeatedly sending GET requests to the Fortigate VPN login endpoint (/remote/logincheck), targeting CVE-2023-27997, a vulnerability in Fortigate VPN devices that can allow unauthenticated attackers to bypass authentication or cause denial of service. Although no successful exploitation is confirmed, the scanning activity increases exposure risk. The report does not specify affected product versions or patch status, and no known exploits in the wild are linked to this event. The activity is reconnaissance in nature, suggesting attackers are probing for vulnerable systems. The severity is rated low due to the observational status and lack of confirmed compromise.

The primary impact is the increased exposure of Fortigate VPN devices to reconnaissance and potential exploitation attempts targeting CVE-2023-27997. Successful exploitation could lead to unauthorized access or denial of service, affecting network security and availability. However, no active exploitation or confirmed breaches are reported in this alert. The reconnaissance activity itself may consume network resources and aid attackers in mapping defenses. The low severity rating reflects limited immediate impact but underscores the importance of securing VPN infrastructure to prevent escalation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should verify and apply the latest Fortigate VPN patches addressing CVE-2023-27997 if available. Additionally, restrict VPN access to trusted IP ranges and implement geo-blocking where appropriate. Deploy and tune IDS/IPS to detect and block suspicious repeated GET requests to VPN login endpoints. Monitor network logs for unusual scanning patterns or suspicious user agents and investigate anomalies. Enforce multi-factor authentication on VPN access to reduce risk from potential credential bypass. Conduct regular vulnerability assessments and segment VPN infrastructure to limit lateral movement if compromised. Educate security teams to recognize reconnaissance activity and respond promptly. These mitigations focus on the specific threat vectors observed in this alert.