Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Data From 15,000 Fortinet Firewalls Leaked by Hackers

Hackers have leaked 15,000 Fortinet firewall configurations, which were apparently obtained as a result of exploitation of CVE-2022–40684.

Fortinet

A hacker group has leaked data associated with roughly 15,000 Fortinet firewalls and an analysis has shown that it was likely obtained back in 2022 through the exploitation of a vulnerability.

The hackers who leaked the data are calling themselves Belsen Group and they claim this is their “first official operation”. They announced on January 14 that the data is available for free, saying that it contains IPs, passwords and configurations associated with 15,000 Fortinet devices located around the world. 

Security researcher Kevin Beaumont has analyzed the leaked files and confirmed that the data is genuine after mapping it to internet-exposed Fortinet devices that are visible on the Shodan search engine.

The dumped data is classified based on country of origin, with each record containing an IP address, full configuration data, and plaintext credentials. The exposed information includes usernames, passwords, device management certificates, and firewall rules.

Based on the analysis of the leaked data and a device owned by one of the affected organizations, Beaumont determined that it was apparently collected in October 2022, likely through the exploitation of CVE-2022–40684.

The existence of CVE-2022–40684 came to light in October 2022, when Fortinet admitted that the zero-day had been exploited in at least one attack. 

A few days after disclosure, a proof-of-concept (PoC) exploit was made public and exploitation started increasing. Fortinet at the time urged customers to take immediate action after seeing that many devices had remained unpatched.

Roughly a month and a half after CVE-2022–40684 was disclosed, a security firm warned that cybercriminals had been selling access to enterprise networks likely compromised through the exploitation of this vulnerability. 

Advertisement. Scroll to continue reading.

Beaumont noted that the leaked files could still pose a risk to organizations as two-year-old data is “not very old” and “many of the devices are still online and reachable”. 

“Even if you patched back in 2022, you may still have been exploited as the configs were dumped years ago and only just released — you probably want to find out when you patched this vuln. Having a full device config including all firewall rules is… a lot of information,” the researcher advised Fortinet customers.

SecurityWeek has reached out to Fortinet for comment and will update this article if the company responds. 

The news comes shortly after Fortinet confirmed that a zero-day vulnerability tracked by the company as CVE-2024-55591 has been exploited in attacks, reportedly since at least November 2024. 

Related: Fortinet Patches Critical FortiWLM Vulnerability

Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched

Related: Citrix, Cisco, Fortinet Zero-Days Among 2023’s Most Exploited Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.