What is the Belsen Group data breach incident?

The Belsen Group has released configuration data allegedly stolen from over 15,000 Fortinet firewall devices. The data was exfiltrated during a zero-day exploitation campaign in October 2022 using CVE-2022-40684 (CVSS 9.8), but was only made public in January 2025.

What types of data were exposed in the breach?

The exposed data includes complete Fortigate configuration files (config.conf), VPN user credentials, username and password combinations, device management digital certificates, firewall rules and configurations, device serial numbers, and IP addresses. The data is organized by country with specific IP addresses and configuration files.

Which versions of Fortinet products were affected?

The vulnerability impacted FortiOS versions 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy versions 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager versions 7.2.0 and 7.0.0.

What are the recommended mitigation steps?

Organizations are advised to immediately update their devices to patched versions (FortiOS 7.2.2+ or 7.0.7+, FortiProxy 7.2.1+, FortiSwitchManager 7.2.1+), verify patch status for CVE-2022-40684, reset all device credentials, and review logs for possible exploitation.

Incident

Belsen Group threat actors leak stolen configs and credentials of 15K Fortigate firewalls

Q: How has the authenticity of the breach been verified?

The breach has been independently verified through multiple methods, including correlation of exposed serial numbers with public Shodan scan data, direct incident response investigation showing exploitation artifacts, and verification of exposed credentials matching actual device configurations.

published: Jan. 16, 2025

Take action: If you are running Fortinet firewall, check the list of IPs, and also check your firewalls for patch status. If not patched or not sure, patch IMMEDIATELY, reset all passwords on the router and check logs for potential exploit.

Learn More

A newly emerged threat actor group called "Belsen Group" has publicly released configuration data allegedly stolen from over 15,000 Fortinet firewall devices.

The data appears to have been exfiltrated during a zero-day exploitation campaign in October 2022 using CVE-2022-40684 (CVSS score 9.8), but was made public in January 2025.

A list of the public IP addressess of the affected devices is published on Github

The exposed data includes

Complete Fortigate configuration files (config.conf)
VPN user credentials (vpn-users.txt)
Username and password combinations (some in plaintext)
Device management digital certificates
Complete firewall rules and configurations
Device serial numbers
IP addresses

The data dump is organized by country, with each folder containing specific IP addresses and associated configuration files including both config.conf and vpn-users.txt files.

The authenticity of the breach has been independently verified through multiple methods. These include correlation of exposed serial numbers with public Shodan scan data, direct incident response investigation of affected devices showing exploitation artifacts, and verification of exposed credentials matching actual device configurations.

The vulnerability specifically impacted

FortiOS: 7.2.0 through 7.2.1, 7.0.0 through 7.0.6
FortiProxy: 7.2.0, 7.0.0 through 7.0.6
FortiSwitchManager: 7.2.0, 7.0.0

Organizations advised immediately update their devices or at least verify patch status for CVE-2022-40684. Then reset all device credentials, and review logs for possible exploitation. Patched versions are

FortiOS 7.2.2 or above
FortiOS 7.0.7 or above
FortiProxy 7.2.1 or above
FortiSwitchManager 7.2.1 or above

Belsen Group threat actors leak stolen configs and credentials of 15K Fortigate firewalls