This threat intelligence report details network reconnaissance activity detected by KRVTZ-NET IDS on March 18, 2026, focusing on attempts to exploit CVE-2023-27997 in Fortigate VPN devices. The vulnerability allows attackers to send repeated GET requests to the /remote/logincheck endpoint, potentially bypassing authentication controls. The alert includes multiple IP addresses exhibiting suspicious behavior, including one IPv6 address actively attempting exploitation and others using suspicious or spoofed user-agent strings. The activity is classified as reconnaissance within the cyber kill chain and is currently low severity with no confirmed exploitation or known active exploits. Patch availability is not confirmed in this report, and no direct mitigation instructions are provided. The threat poses a medium risk due to the critical role of VPNs in secure remote access.

If exploited, CVE-2023-27997 could allow unauthorized remote access to internal networks via Fortigate VPN devices, potentially leading to data breaches, lateral movement, and disruption of VPN services. The current alert indicates only reconnaissance activity without confirmed exploitation or known exploits in the wild. However, the presence of suspicious scanning and user-agent spoofing suggests active interest from threat actors. The impact of successful exploitation could be significant given the criticality of VPN infrastructure for secure remote access.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should audit Fortigate VPN deployments to identify exposed /remote/logincheck endpoints and verify if they are running vulnerable versions. Applying the latest Fortinet security advisories and firmware updates addressing CVE-2023-27997 is recommended when available. Implement strict access controls such as IP whitelisting and multi-factor authentication on VPN gateways. Deploy IDS/IPS with updated signatures to detect repeated GET requests targeting /remote/logincheck. Monitor VPN logs for anomalous authentication attempts and suspicious user-agent strings. Consider network segmentation to limit lateral movement if VPN access is compromised. Regularly update threat intelligence feeds and conduct vulnerability assessments focused on VPN infrastructure.