This threat involves network-based reconnaissance and exploitation attempts detected by IDS on March 24, 2026. Multiple IP addresses were observed performing repeated GET requests to the /remote/logincheck endpoint on Fortigate VPN devices, exploiting CVE-2023-27997, a vulnerability that can allow authentication bypass or denial of service. Other suspicious activities include inbound requests to hidden environment files and phpinfo pages on web servers, which can disclose sensitive configuration information. Additionally, an IP address was noted for frequent TCP submission connections to a haproxy service, suggesting brute force attempts. These indicators collectively point to early-stage reconnaissance and exploitation efforts targeting network infrastructure and web services.

Successful exploitation of CVE-2023-27997 on Fortigate VPN devices could allow attackers to bypass authentication and gain unauthorized VPN access, potentially enabling lateral movement within networks. Access to hidden environment files and phpinfo pages can reveal sensitive system and application configurations, increasing the risk of further targeted attacks. Brute force attempts against haproxy services may lead to account lockouts or unauthorized access if weak credentials are present, affecting service availability and integrity. Although no widespread exploitation is currently documented, organizations with exposed Fortigate VPNs and web servers remain at risk of targeted attacks that could compromise confidentiality, integrity, and availability of critical resources.

Organizations should ensure all Fortigate VPN devices are updated with the latest patches addressing CVE-2023-27997. Implement strict access controls and enforce multi-factor authentication for VPN access to reduce unauthorized login risks. Monitor VPN and web server logs for repeated failed login attempts, unusual GET requests, and access to sensitive files indicative of reconnaissance or exploitation. Restrict or disable public access to environment configuration files and phpinfo pages on web servers. Deploy and tune IDS/IPS to detect suspicious GET requests, brute force patterns, and repeated connection attempts. Apply rate limiting and IP blacklisting for suspicious IP addresses identified in the alerts. Conduct regular vulnerability assessments and maintain updated threat intelligence feeds. Consider network segmentation to limit lateral movement and ensure robust incident response plans are in place.