The KRVTZ-NET IDS alerts for March 24, 2026, highlight a series of network-based reconnaissance and potential attack activities detected by intrusion detection systems. Key indicators include IP addresses performing repeated connections and requests that align with known exploit attempts and information gathering techniques. Specifically, multiple IPv6 addresses were observed sending repeated GET requests to the /remote/logincheck endpoint on Fortigate VPN devices, exploiting CVE-2023-27997, a vulnerability allowing unauthorized access or denial of service. Additional IPs attempted to access hidden environment files and phpinfo pages, which can disclose sensitive configuration details. Another IP address was noted for possible brute force attempts against a haproxy service via frequent TCP submissions. These activities collectively represent early-stage reconnaissance and exploitation attempts, primarily targeting network infrastructure and web services. No patches or confirmed exploits in the wild are currently documented, and the severity is rated low. However, the presence of these indicators suggests attackers are actively scanning and probing networks, which could lead to more severe attacks if vulnerabilities are successfully exploited.

If successful, exploitation of CVE-2023-27997 on Fortigate VPN devices could allow attackers to bypass authentication, gain unauthorized access to VPN services, and potentially move laterally within affected networks. Access to hidden environment files and phpinfo pages can reveal sensitive system and application configuration details, increasing the risk of further compromise. Brute force attempts against haproxy services may lead to account lockouts or unauthorized access if weak credentials are used. Although no widespread exploitation is currently reported, organizations with exposed Fortigate VPNs and web servers are at risk of targeted attacks that could compromise confidentiality, integrity, and availability of network resources. The reconnaissance activity also indicates attackers are actively mapping networks, which could precede more sophisticated attacks such as ransomware or data exfiltration campaigns. Overall, the impact is currently limited but could escalate without proper defenses.

Organizations should immediately review and harden Fortigate VPN configurations, ensuring all devices are updated with the latest security patches addressing CVE-2023-27997. Implement strict access controls and multi-factor authentication (MFA) for VPN access to mitigate unauthorized login attempts. Monitor VPN logs for repeated failed login attempts and unusual access patterns indicative of brute force or exploitation attempts. Restrict access to sensitive files such as environment configuration and phpinfo pages by disabling or limiting their exposure on public-facing web servers. Deploy and tune intrusion detection/prevention systems to alert on suspicious GET requests and brute force patterns. Employ rate limiting and IP blacklisting for repeated suspicious connections, especially from the identified IP addresses. Conduct regular vulnerability assessments and penetration testing on network infrastructure to identify and remediate weaknesses. Finally, maintain up-to-date threat intelligence feeds to stay informed of emerging threats related to Fortigate VPN and web server exploits.