The KRVTZ-NET IDS alert from March 18, 2026, reports network reconnaissance and scanning activity targeting Fortigate VPN devices, specifically exploiting CVE-2023-27997. This vulnerability involves improper handling of authentication requests at the /remote/logincheck endpoint, allowing attackers to perform repeated GET requests that may lead to unauthorized access or denial of service. The alert includes multiple IP addresses observed conducting suspicious activity: one IPv6 address (2001:470:1:c84::17) repeatedly attempts to exploit the Fortigate VPN, while other IPv4 addresses (103.216.51.246, 125.209.235.172, 110.93.150.70) exhibit suspicious user-agent strings and scanning behavior, including masquerading as legitimate web crawlers like Naver.me. The alert is derived from OSINT sources and classified as low severity, indicating early-stage reconnaissance without confirmed exploitation in the wild. No patches or mitigation instructions are included, and no CVSS score is assigned. The activity aligns with the reconnaissance phase of the cyber kill chain, suggesting attackers are probing for vulnerable Fortigate VPN endpoints. The lack of known exploits in the wild and absence of ransomware or threat actor attribution suggest this is a preliminary observation. However, given the critical role of Fortigate VPNs in secure remote access, successful exploitation could lead to significant confidentiality and availability impacts.

If exploited, CVE-2023-27997 could allow attackers to bypass authentication mechanisms on Fortigate VPN devices, potentially gaining unauthorized remote access to internal networks. This could lead to data breaches, lateral movement within corporate environments, and disruption of VPN services. Although the current alert indicates low-severity reconnaissance activity without confirmed exploitation, organizations with exposed Fortigate VPN endpoints remain at risk. The impact includes potential compromise of sensitive data, interruption of secure remote access for employees, and increased attack surface for follow-on attacks. The presence of suspicious scanning IPs and user-agent spoofing indicates active interest from threat actors, which could escalate to exploitation attempts. The lack of available patches or mitigations in the alert increases the urgency for organizations to proactively monitor and secure their VPN infrastructure. Overall, the threat poses a medium risk due to the criticality of VPN access and the potential for significant operational and security consequences if exploited.

Organizations should immediately audit their Fortigate VPN deployments to identify exposed /remote/logincheck endpoints and verify if they are running vulnerable versions. Applying the latest Fortinet security advisories and firmware updates addressing CVE-2023-27997 is critical, even though this alert does not specify patch availability. Network defenders should implement strict access controls and VPN gateway hardening, including IP whitelisting and multi-factor authentication to reduce attack surface. Deploying intrusion detection and prevention systems (IDS/IPS) with updated signatures to detect repeated GET requests targeting /remote/logincheck can help identify and block exploitation attempts. Monitoring VPN logs for anomalous authentication patterns and suspicious user-agent strings is recommended. Organizations should also consider network segmentation to limit lateral movement if VPN access is compromised. Regular threat intelligence updates and correlation with OSINT feeds like CIRCL can enhance situational awareness. Finally, conducting penetration testing and vulnerability assessments focused on VPN infrastructure will help identify and remediate weaknesses proactively.