FlagThis

A new hacking group, known as Belsen Group, has leaked configuration files and VPN credentials for over 15,000 FortiGate firewall devices. The data, which includes full configuration dumps, device management certificates and even some plain text passwords, was made freely available on the dark web. Security researcher Kevin Beaumont first brought the issue to light, later confirmed by CloudSEK, and noted the vulnerability primarily affected Fortigate 7.0.x and 7.2.x devices.

The Belsen Group is believed to have been active since 2022, despite only recently appearing on social media and cybercrime forums. The leaked data was likely collected using a zero-day exploit in 2022, specifically CVE-2022-40684, and has only been released in January 2025. This means even organizations that have since patched may still be vulnerable if their configurations were captured by Belsen Group in 2022. The exposure of the data, which includes firewall rules, poses a significant security risk to affected organizations.

ImgSrc: arcticwolf.com

References:

• ciso2ciso.com - Ciso2Ciso news about new hacking group leaks configuration of 15,000 Fortinet Firewalls. - 12d
• @GossiTheDog - Cyberplace.Social post by GossiTheDog about Fortigate config data leak. - 12d
• www.bleepingcomputer.com - BleepingComputer Article about hackers leak configs and VPN credentials for 15,000 FortiGate devices. - 12d
• @feeds - RT @S0ufi4n3: “2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.“ - 11d
• www.theregister.com - 15,000 FortiGate Firewall Configurations Leaked by Belsen Group - 9d

Classification:

• HashTags: Fortigate DataBreach ZeroDay
• Company: Fortinet
• Target: Fortinet Customers
• Product: FortiGate
• Feature: configuration leak
• Type: DataBreach
• Severity: Major