The hacking group Belsen Group released sensitive configuration data from over 15,000 FortiGate firewall devices on the dark web, exposing VPN credentials, private keys, and complete firewall rule sets. The breach traces back to active exploitation of CVE-2022-40684, a critical authentication bypass in FortiOS that was weaponized in October 2022. Organizations that ran unpatched FortiGate devices during that period should treat their network configurations as fully compromised.
Breach Analysis and Impact Assessment
The leaked archive, measuring 1.6GB, contains data categorized by country and includes comprehensive details from thousands of FortiGate devices. Each compromised device’s data includes complete configuration dumps and unencrypted VPN passwords, which can grant immediate unauthorized access to previously secure networks. The presence of private keys and firewall rules in these configuration files significantly amplifies the risk beyond the original 2022 compromise window.
Technical Details: CVE-2022-40684
Security researcher Kevin Beaumont’s analysis attributes the breach to CVE-2022-40684, an authentication bypass vulnerability that was actively exploited before many organizations had patched. The vulnerability impacted FortiOS versions 7.0.0 through 7.0.6 and 7.2.0 through 7.2.2. Notably, even devices running version 7.2.2 — supposedly patched — fell victim to attacks, as threat actors had established super_admin backdoor accounts prior to patching.
Organizations Running FortiGate Firewalls Exposed to the Internet
Organizations that ran FortiGate devices on FortiOS 7.0.x (up to 7.0.6) or 7.2.x (up to 7.2.2) during October 2022 are at risk, even if those devices were subsequently patched. The leaked data covers over 15,000 devices globally. If your organization’s IP addresses or domain names appear in the Belsen Group’s published dataset, your VPN credentials, firewall configurations, and private keys should be treated as fully exposed. Financial institutions, government agencies, and critical infrastructure operators are among the highest-risk targets due to the sensitivity of their network access.
FortiGate Incident Response: Isolation, Credentials, and Firmware
- Cross-reference your organization’s public IP addresses against the Belsen Group’s leaked IP list to determine if your FortiGate devices are included.
- Immediately rotate all VPN credentials, pre-shared keys, and certificates on any FortiGate device that ran affected FortiOS versions during October 2022.
- Audit administrator accounts for unknown
super_adminaccounts created during the breach window — delete any unauthorized accounts immediately. - Apply the latest FortiOS security updates from the Fortinet PSIRT advisory page and verify integrity of current configurations against known-good backups.
- Conduct a network compromise assessment to identify lateral movement or persistent access that may have been established using the leaked credentials.
