Fortigate VPN CVE-2023-27997 Exploitation Attempt
IDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.
On February 28, 2026, network intrusion detection systems (IDS) flagged suspicious activity indicative of a potential exploit targeting Fortigate VPN servers. The activity involves a series of repeated GET requests directed towards the /remote/logincheck endpoint, a known attack vector associated with CVE-2023-27997. This vulnerability allows unauthenticated attackers to execute arbitrary code via specially crafted requests. The observed traffic originates from the IPv6 address…
Detection coverage 2
Detect Repeated GET Requests to /remote/logincheck
highDetects repeated GET requests to the /remote/logincheck endpoint, potentially indicating an exploitation attempt against CVE-2023-27997 on Fortigate VPNs
Detect Network Connection to Fortigate Logincheck
highDetects network connections to the Fortigate logincheck endpoint, potentially indicating exploitation attempts.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1
ip