This threat intelligence report details IDS alerts indicating reconnaissance activity targeting Fortigate VPN devices via CVE-2023-27997. The vulnerability involves unauthenticated repeated GET requests to the /remote/logincheck endpoint, which may allow attackers to bypass authentication mechanisms. The observed activity originates from a specific IPv6 address and is detected by Emerging Threats IDS signatures. No affected versions or patch information are provided in this report, and no known exploits in the wild have been confirmed. The reconnaissance phase suggests attackers are scanning for vulnerable VPN endpoints, posing a risk of future exploitation. The report underscores the critical need for monitoring and securing Fortigate VPN devices against this vulnerability.

Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN devices, granting unauthorized access to internal networks. This may lead to data breaches, lateral movement within corporate environments, and disruption of VPN services, impacting confidentiality, integrity, and availability. The current observed activity is limited to reconnaissance, but the presence of scanning increases the risk of exploitation. Organizations using Fortigate VPN appliances for secure remote access face significant risks if this vulnerability is exploited. No confirmed exploits in the wild have been reported at this time.

No official patch or fix is noted in this report. Recommended mitigations include restricting access to Fortigate VPN management interfaces and the /remote/logincheck endpoint using network segmentation, firewalls, and access control lists to allow only trusted IP addresses. Continuously monitor IDS/IPS systems for repeated GET requests to /remote/logincheck and other suspicious VPN-related traffic. Apply any available vendor advisories or configuration changes from Fortinet addressing CVE-2023-27997 promptly. Enforce multi-factor authentication on VPN access to reduce unauthorized access risks. Implement rate limiting and anomaly detection on VPN endpoints to detect and block repeated request patterns. Deploy web application firewalls or reverse proxies in front of VPN portals to filter malicious requests. Integrate up-to-date threat intelligence feeds into security operations for timely awareness. Educate security teams about this vulnerability and develop incident response plans for VPN compromise scenarios.