The report documents IDS alerts indicating reconnaissance attempts against Fortigate VPN devices exploiting CVE-2023-27997. This vulnerability allows unauthenticated attackers to send repeated GET requests to the /remote/logincheck endpoint, potentially bypassing authentication controls. The activity is detected from an IPv6 address and flagged by Emerging Threats IDS signatures. No affected versions or official patches are listed in this report, and no confirmed exploits in the wild exist at this time. The reconnaissance phase indicates attackers are probing for vulnerable VPN endpoints, increasing the risk of future exploitation. Mitigation strategies include restricting access to VPN management interfaces, enforcing multi-factor authentication, rate limiting, and deploying web application firewalls. The threat intelligence feed identifies multiple countries potentially impacted, reflecting the global use of Fortigate VPN devices.

Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN devices, granting unauthorized access to internal networks. This may lead to data breaches, lateral movement within corporate environments, and disruption of VPN services, impacting confidentiality, integrity, and availability. Currently, the observed activity is limited to reconnaissance, with no known exploits in the wild. Organizations using Fortigate VPN appliances for secure remote access face significant risks if this vulnerability is exploited.

No official patch or fix is noted in this report. Recommended mitigations include restricting access to Fortigate VPN management interfaces and the /remote/logincheck endpoint using network segmentation, firewalls, and access control lists to allow only trusted IP addresses. Continuously monitor IDS/IPS systems for repeated GET requests to /remote/logincheck and other suspicious VPN-related traffic. Apply any available vendor advisories or configuration changes from Fortinet addressing CVE-2023-27997 promptly. Enforce multi-factor authentication on VPN access to reduce unauthorized access risks. Implement rate limiting and anomaly detection on VPN endpoints to detect and block repeated request patterns. Deploy web application firewalls or reverse proxies in front of VPN portals to filter malicious requests. Integrate up-to-date threat intelligence feeds into security operations for timely awareness. Educate security teams about this vulnerability and develop incident response plans for VPN compromise scenarios.