15,000 Fortinet Device Configurations Exposed on Dark Web

January 17, 2025

A significant amount of dated configuration data and VPN credentials for 15,474 Fortinet devices have been freely posted on the dark web. The data, while comprehensive, is over two years old, suggesting that organizations following even basic security protocols should face minimal risk.

On January 14, Fortinet revealed a serious authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, CVE-2024-55591. This vulnerability is reminiscent of a similar bug from October 2022, CVE-2022-40684, which affected FortiOS, FortiProxy, and FortiSwitchManager. This previous vulnerability, which scored a 'critical' 9.8 rating in the Common Vulnerability Scoring System (CVSS), enabled any unauthenticated attacker to carry out administrative operations on susceptible devices via specially crafted HTTP requests.

Following the disclosure of CVE-2022-40684, security researchers developed a proof-of-concept exploit and a template for scanning for vulnerable devices. Exploitation attempts subsequently surged. On the same day that CVE-2024-55591 was disclosed, a threat actor known as the 'Belsen Group' released data belonging to more than 15,000 Fortinet devices. CloudSEK researchers who found the data believe it was stolen using CVE-2022-40684, likely when the bug was still a zero-day.

The Belsen Group dumped a 1.6GB file containing the data on its onion website. The data, organized by country, IP address, and firewall port number, is freely accessible. The affected devices are spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK. However, Iran, despite having nearly 2,000 reachable Fortinet devices, is conspicuously absent from the data.

The Belsen Group appears to have emerged recently, though CloudSEK is 'highly confident' it has been active for at least three years. The group is suspected to have been part of a threat group that exploited a zero-day in 2022, though direct affiliations have not been established. The leaked data includes device configurations and SSL-VPN credentials, stolen via CVE-2022-40684 and CVE-2018-13379 respectively.

While the data is old, it still poses a risk as it can reveal information about organizations' internal network structures that may still be relevant today. Old usernames and passwords, if not changed, can also continue to cause problems. Fortinet, however, has downplayed the risk, stating that organizations following routine best practices and regularly updating security credentials face a small risk from the data leak.

Related News

• Critical Remote Code Execution Vulnerability in Fortinet Patched
• Russian APT 'Midnight Blizzard' Breached HPE and Microsoft Months Apart
• Earth Lusca's Advanced SprySOCKS Linux Backdoor Targets Global Government Entities
• Play Ransomware Group Launches Global Campaign Against MSPs
• Top Exploited Cybersecurity Vulnerabilities of 2022 Unveiled by FBI, CISA, and NSA

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Critical Security Flaw Identified in Meta's Llama Framework, Exposing AI Systems to Potential Remote Code Execution