Introduction
The Belsen Group has leaked sensitive configuration data and VPN credentials from over 15,474 FortiGate firewall devices [5], affecting both governmental and private sector organizations worldwide [5]. This breach, linked to a critical zero-day vulnerability [3] [13], poses significant security risks [2] [6] [12] [13], necessitating immediate action from affected entities.
Description
Belsen Group has leaked sensitive configuration data and VPN credentials from over 15,474 unique FortiGate firewall devices [5], impacting governmental and private sector organizations globally [5]. This breach exposes critical technical details, including usernames [4] [5], passwords (some in plaintext) [4] [5] [6] [7] [10], firewall rules [2] [4] [5] [6] [7] [10] [11] [12], and digital certificates for device management [4], allegedly obtained through the exploitation of a critical zero-day vulnerability (CVE-2022-40684) in Fortinet’s FortiOS [5], FortiProxy [5] [6] [9], and FortiSwitchManager [5] [6]. The leaked data [2] [3] [5] [6] [8] [11] [13], totaling 1.6 GB and organized in a ZIP archive by country, includes folders listing individual IP addresses, full firewall configurations [1] [2] [5] [7] [8] [11], and VPN credentials [2] [3] [5] [7] [12] [13].
The leak was first discovered on January 14, 2025 [11], by CloudSEK’s XVigil platform [11], with confirmation from cybersecurity expert Kevin Beaumont on January 15 and security provider CloudSEK on January 16. Beaumont noted that the data appears to originate from incidents in the fall of 2022, coinciding with a peak in exploitation activity related to the aforementioned vulnerability [13], suggesting a link to a serious cyber event [9]. Rapid7 confirmed that some of the leaked information was associated with compromised customer firewalls from that year [8]. The majority of the compromised configurations are reported to originate from Mexico [4], with 1,603 configurations [1], followed by the United States with 679 and Germany with 208.
Most exposed devices are running FortiOS versions 7.0.0 to 7.0.6 and 7.2.0 to 7.2.2, with a significant number on version 7.2.0, all of which were susceptible to CVE-2022-40684. Although Fortinet released a patch for this vulnerability on October 3, 2022, many organizations may still be at risk due to the exposure of their configurations prior to the updates. It remains unclear how some devices running the patched version 7.2.2 were still exploited. Beaumont has advised administrators to change their credentials if affected by this leak and plans to publish a list of impacted IP addresses to assist organizations in assessing their risk. Additionally, researcher Amram Englander has published the IP addresses on GitHub [6], further emphasizing the need for affected organizations to review their patch history for CVE-2022-40684.
The release of this data, occurring over two years after its compilation, poses a significant threat to thousands of organizations [7], potentially leading to unauthorized network access and misuse of sensitive information [7]. The compromised credentials and exposed firewall rules can reveal internal network structures, allowing attackers to bypass defenses [11]. Additionally, breached device management certificates could facilitate man-in-the-middle attacks or unauthorized access in secure communications. This incident underscores the ongoing risks associated with zero-day vulnerabilities and the necessity for timely patching [3], following a similar leak in 2021 that exposed nearly 500,000 Fortinet VPN credentials [3].
Belsen Group [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13], which emerged on social media and cybercrime forums in January 2025 [10], has made the data available for free on a dark web forum [2], indicating that the group has likely been active for several years [10]. Security experts warn that this exposure could lead to widespread exploitation globally [2]. Organizations are advised to review the list of compromised firewall IPs [11], conduct forensic analysis of affected devices [11], and implement mitigation strategies such as immediate credential updates, auditing and reconfiguring firewalls to tighten access controls [11], and rotating all exposed digital certificates [11]. The leaked configurations have affected numerous organizations across various countries [11], with the US [11], UK [11], Poland [11], and Belgium having over 20 victims each [11], while France, Spain [3] [6] [10] [11], Malaysia [11], the Netherlands [11], Thailand [11], and Saudi Arabia reported over 10 victims each [11]. Cybersecurity professionals emphasize the need for proactive measures [2], as attackers are likely already exploiting the leaked data [2].
In addition to the aforementioned vulnerabilities, Fortinet recently disclosed CVE-2024-55591 [9], which addresses an authentication bypass vulnerability affecting FortiOS and FortiProxy [9], potentially allowing remote attackers to gain super-admin privileges [9]. Reports indicate that this vulnerability is being actively exploited [9], prompting Fortinet to advise users to ensure their FortiGuard appliances are up to date and to limit access to the administrative interface [9]. Organizations using Fortinet products must act swiftly to mitigate risks from this breach and remain vigilant against future exploits targeting exposed configurations [2].
Conclusion
The Belsen Group’s data leak represents a severe threat to global cybersecurity, highlighting the critical importance of addressing zero-day vulnerabilities promptly. Organizations must take immediate steps to secure their systems, including updating credentials [7] [12], auditing firewall configurations [2] [5] [7] [8] [11], and rotating digital certificates. The incident serves as a stark reminder of the persistent risks posed by cyber threats and the necessity for ongoing vigilance and proactive security measures.
References
[1] https://www.heise.de/en/news/Unknown-group-releases-Fortinet-config-files-and-VPN-passwords-to-the-darknet-10244238.html
[2] https://cybersecuritynews.com/fortigate-firewall-configs-leaked/
[3] https://cybermaterial.com/belsen-group-leaks-fortigate-devices-data/
[4] https://tweakers.net/nieuws/230874/hackers-lekken-configuraties-en-vpn-inloggegevens-van-15000-fortigate-apparaten.html
[5] https://cyberinsider.com/15000-fortigate-firewall-and-vpn-credentials-leaked-by-hackers/
[6] https://www.computing.co.uk/news/2025/security/hacking-group-leaks-fortinet-users-details-dark-web
[7] https://securityonline.info/15000-fortigate-firewalls-exposed-massive-leak-includes-vpn-credentials/
[8] https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/
[9] https://www.cyberdaily.au/security/11588-hacking-group-releases-details-of-15-000-vulnerable-fortigate-firewall-devices
[10] https://www.infosecurity-magazine.com/news/hacking-group-leaks-config-15k/
[11] https://www.cloudsek.com/blog/15k-fortigate-firewall-configs-leaked-by-belsen-group-dumped-using-zero-day-in-2022
[12] https://fieldeffect.com/blog/fortinet-rookie-leaks-creds-15000-devices
[13] https://www.blackhatethicalhacking.com/news/fortigate-leak-over-15000-devices-configs-and-vpn-credentials-exposed-by-new-hacking-group/
