high advisory February 26, 2026

Fortigate VPN Exploit Attempt via CVE-2023-27997 and Suspicious User-Agent

Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.

On February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the /remote/logincheck endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…

Detection coverage 3

Detect Fortigate CVE-2023-27997 Exploitation Attempt

high

Detects repeated GET requests to /remote/logincheck, indicating a potential CVE-2023-27997 exploitation attempt.

sigma tactics: initial_access techniques: T1190 sources: network_connection, zeek

Detect Suspicious User-Agent

medium

Detects connections using the suspicious User-Agent string observed in the alerts.

sigma tactics: initial_access techniques: T1595.001 sources: network_connection, zeek

Detect Fortigate VPN Login Check Request

info

Detects requests to the Fortigate VPN login check page.

sigma tactics: initial_access sources: network_connection, zeek

Detection queries are kept inside the platform. Get full rules →

Detection coverage 3

Indicators of compromise