* [Endpoint Security](/endpoint-security)* [Cyberattacks -& Data Breaches](/cyberattacks-data-breaches)* [Vulnerabilities -& Threats](/vulnerabilities-threats)* [Threat Intelligence](/threat-intelligence)15K Fortinet Device Configs Leaked to the Dark Web 15K Fortinet Device Configs Leaked to the Dark Web15K Fortinet Device Configs Leaked to the Dark Web=======================================================================================================================================================The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.  [Nate Nelson, Contributing Writer](/author/nate-nelson)January 17, 2025 3 Min Read  Source: JHVEPhoto via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web)[](https://www.reddit.com/submit?url=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web&title=15K%20Fortinet%20Device%20Configs%20Leaked%20to%20the%20Dark%20Web)[](/cdn-cgi/l/email-protection#6c531f190e06090f18515d59274c2a031e18050209184c28091a050f094c2f03020a050b1f4c20090d0709084c18034c1804094c280d1e074c3b090e4a0d011c570e0308155125495e5c180403190b0418495e5c180409495e5c0a030000031b05020b495e5c0a1e0301495e5c280d1e07495e5c3e090d0805020b495e5c01050b0418495e5c050218091e091f18495e5c15031942495c28495c2d495c28495c2d495e5c5d5927495e5c2a031e1805020918495e5c28091a050f09495e5c2f03020a050b1f495e5c20090d070908495e5c1803495e5c180409495e5c280d1e07495e5c3b090e495c28495c2d0418181c1f495f2d495e2a495e2a1b1b1b42080d1e071e090d0805020b420f0301495e2a0902081c03050218411f090f191e051815495e2a5d5907410a031e18050209184108091a050f09410f03020a050b1f4100090d07090841080d1e07411b090e) Dated configuration data and virtual private network (VPN) credentials for 15,474 Fortinet devices have been posted for free to the Dark Web.On Jan. 14, Fortinet disclosed a severe authentication bypass vulnerability in its FortiOS operating system and FortiProxy Web gateway, [CVE-2024-55591](https://www.darkreading.com/threat-intelligence/zero-day-security-bug-fortinet-firewall-attacks). For a model of what the aftermath of such a vulnerability could look like, one need only look to a parallel bug from October 2022 that’s still making waves today.Back then, Fortinet published an urgent security warning regarding [CVE-2022-40684](https://www.darkreading.com/vulnerabilities-threats/patch-now-fortinet-fortigate-and-fortiproxy-contain-critical-vuln), an equivalent authentication bypass vulnerability affecting FortiOS, FortiProxy, and the autological FortiSwitchManager. Earning a ‘critical’ 9.8 rating in the Common Vulnerability Scoring System (CVSS), it allowed any unauthenticated attacker to perform administrative operations on vulnerable devices via specially crafted HTTP requests. In the wake of that disclosure, security researchers developed a proof-of-concept (PoC) exploit, a template for scanning for vulnerable devices, and watched as [exploitation attempts climbed and climbed](https://www.darkreading.com/cyberattacks-data-breaches/concerns-fortinet-flaw-poc-increased-exploit-activity).On the same day CVE-2024-55591 was disclosed this week, a threat actor with the nom de guerre ‘Belsen Group’ released data belonging to more than 15,000 Fortinet devices. In a blog post, the CloudSEK researchers who spotted it assessed that the data had been stolen thanks to CVE-2022-40684, likely when that bug was still a zero-day. Now, they wrote, ‘Once they exhausted its use for themselves (either by selling or using the access), [the threat actor(s) decided to leak it](https://www.cloudsek.com/blog/15k-fortigate-firewall-configs-leaked-by-belsen-group-dumped-using-zero-day-in-2022) in 2025.’Related:[Extension Poisoning Campaign Highlights Gaps in Browser Security](/endpoint-security/extension-poisoning-campaign-gaps-browser-security)Possible Clues to Belsen Group’s Origins—————————————-‘2025 will be a fortunate year for the world,’ the Belsen Group wrote in its post to the cybercrime site BreachForums (while conveniently omitting that its data had been gathered more than two years ago). The 1.6GB file it dumped on its onion website is accessible free of charge, and organized neatly in folders first by country, then by IP address and firewall port number.Affected devices appear to be spread across every continent, with the highest concentration in Belgium, Poland, the US, and the UK, each with more than 20 victims.On the flip side, security researcher Kevin Beaumont (aka GossiTheDog) noted in a blog post that every country in which Fortinet has a presence is [represented in the data](https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-configs-somebody-just-released-them-a7a74e0b0c7f), except one: Iran, despite the fact that Shodan shows nearly 2,000 reachable Fortinet devices in that country today. Furthermore, there is just one affected device in the entirety of Russia, and technically it’s in Ukraine’s annexed Crimea region.Related:[Trend Micro and Intel Innovate to Weed Out Covert Threats](/endpoint-security/trend-micro-and-intel-innovate-to-weed-out-covert-threats)These points of data may be unimportant, or they may hold clues for attributing the Belsen Group. It appears to have popped up this month, though CloudSEK concluded ‘with high confidence’ that it has been around for at least three years now, and that ‘They were likely part of a threat group that exploited a zero day in 2022, although direct affiliations have not been established yet.’What’s the Cyber-Risk?———————-The leaked listings contain two types of folders. The first, ‘config.conf,’ contains affected device configurations: IP addresses, usernames and passwords, device management certificates, and all of the affected organization’s firewall rules. This data was stolen via CVE-2022-40684. In the other folder, ‘vpn-password.txt,’ are SSL-VPN credentials. According to Fortinet, these credentials were sourced from devices via an even older path traversal vulnerability, [CVE-2018-13379](https://www.darkreading.com/cyberattacks-data-breaches/cring-ransomware-used-in-attacks-on-european-industrial-firms).Though the data is all rather aged by now, Beaumont wrote, ‘Having a full device config including all firewall rules is … a lot of information.’ CloudSEK, too, cited the risk that leaked firewall configurations can reveal information about organizations’ internal network structures that may still apply today.Related:[Zivver Report Reveals Critical Challenges in Email Security for 2025](/endpoint-security/zivver-report-reveals-critical-challenges-in-email-security-for-2025)Organizations also often don’t cycle out usernames and passwords, allowing old ones to continue to cause problems. In examining a device included in the dump, Beaumont reported that the old authentications matched those still in use.Fortinet, for its part, tried to quell concerns in a [security analysis](https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting) published on Jan. 16. ‘If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor’s disclosure is small,’ it explained. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web)[](https://www.reddit.com/submit?url=https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web&title=15K%20Fortinet%20Device%20Configs%20Leaked%20to%20the%20Dark%20Web)[](/cdn-cgi/l/email-protection#ebd4989e89818e889fd6dadea0cbad84999f82858e9fcbaf8e9d82888ecba884858d828c98cba78e8a808e8fcb9f84cb9f838ecbaf8a9980cbbc8e89cd8a869bd089848f92d6a2ced9db9f83849e8c839fced9db9f838eced9db8d848787849c82858cced9db8d998486ced9dbaf8a9980ced9dbb98e8a8f82858cced9db86828c839fced9db82859f8e998e989fced9db92849ec5cedbafcedbaacedbafcedbaaced9dbdadea0ced9dbad84999f82858e9fced9dbaf8e9d82888eced9dba884858d828c98ced9dba78e8a808e8fced9db9f84ced9db9f838eced9dbaf8a9980ced9dbbc8e89cedbafcedbaa839f9f9b98ced8aaced9adced9ad9c9c9cc58f8a9980998e8a8f82858cc5888486ced9ad8e858f9b8482859fc6988e889e99829f92ced9addade80c68d84999f82858e9fc68f8e9d82888ec68884858d828c98c6878e8a808e8fc68f8a9980c69c8e89) About the Author—————- [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote ‘Malicious Life,’ an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts ‘The Industrial Security Podcast.’ [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi)You May Also Like*** ** * ** ***More Insights Webinars* [Tips on Managing Cloud Security in a Hybrid Environment](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7708&ch=SBX&cid=_upcoming_webinars_8.500001516&_mc=_upcoming_webinars_8.500001516)Jan 29, 2025* [How CISOs Navigate the Regulatory and Compliance Maze](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7709&ch=SBX&cid=_upcoming_webinars_8.500001515&_mc=_upcoming_webinars_8.500001515)Feb 26, 2025[More Webinars](/resources?types=Webinar) ### Editor’s Choice[Biden meeting on cybersecurity with business leaders](/threat-intelligence/biden-cybersecurity-eo-trump-blueprint-defense)[Threat Intelligence](/threat-intelligence) [Biden’s Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense](/threat-intelligence/biden-cybersecurity-eo-trump-blueprint-defense)[Biden’s Cyber EO Leaves Trump a Strong Blueprint for Defense](/threat-intelligence/biden-cybersecurity-eo-trump-blueprint-defense) by[Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Jan 16, 2025 7 Min Read [Globe with LLM-related icons, with the words Large Language Models underneath_Nils_Ackermann_Alamy_Stock_Vector_.jpg?width=700&auto=webp&quality=80&disable=upscale)](/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats)[Vulnerabilities -& Threats](/vulnerabilities-threats) [OWASP’s New LLM Top 10 Shows Emerging AI Threats](/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats)[OWASP’s New LLM Top 10 Shows Emerging AI Threats](/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats) by[Matias Madou](/author/matias-madou) Jan 15, 2025 5 Min Read [Closed padlock on digital background](/application-security/microsoft-january-2025-record-security-update)[Application Security](/application-security) [Microsoft Rings in 2025 With Record Security Update](/application-security/microsoft-january-2025-record-security-update)[Microsoft Rings in 2025 With Record Security Update](/application-security/microsoft-january-2025-record-security-update) by[Jai Vijayan, Contributing Writer](/author/jai-vijayan) Jan 14, 2025 4 Min Read Reports* [The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi07&ch=SBX&cid=_analytics_7.300006029&_mc=_analytics_7.300006029)Jan 10, 2025* [Industrial Networks in the Age of Digitalization](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa5682&ch=sbx&cid=_analytics_7.300006028&_mc=_analytics_7.300006028)Jan 6, 2025* [Zero-Trust Adoption Driven by Data Protection, Cloud Access Control, and Regulatory Compliance Requirements](https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa5681&ch=sbx&cid=_analytics_7.300006027&_mc=_analytics_7.300006027)Jan 6, 2025* [Threat Hunting’s Evolution: From On-Premises to the Cloud](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_logr41&ch=sbx&cid=_analytics_7.300006026&_mc=_analytics_7.300006026)Jan 6, 2025* [How Enterprises Secure Their Applications](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa6150&ch=sbx&cid=_analytics_7.300006025&_mc=_analytics_7.300006025)Jan 6, 2025[More Reports](/resources?types=Report) Webinars* [Tips on Managing Cloud Security in a Hybrid Environment](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7708&ch=SBX&cid=_upcoming_webinars_8.500001516&_mc=_upcoming_webinars_8.500001516)Jan 29, 2025* [How CISOs Navigate the Regulatory and Compliance Maze](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7709&ch=SBX&cid=_upcoming_webinars_8.500001515&_mc=_upcoming_webinars_8.500001515)Feb 26, 2025[More Webinars](/resources?types=Webinar) White Papers* [The State of Firewall Security: Challenges, Risks, and Solutions for Modern Networks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_tufi07&ch=SBX&cid=_whitepaper_14.500005865&_mc=_whitepaper_14.500005865)* [Delivering Incident Response Excellence: How Wipro enhances customer services with automated investigation and response](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7504&ch=SBX&cid=_whitepaper_14.500005853&_mc=_whitepaper_14.500005853)* [From security alert to action: Accelerating incident response with automated investigations](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7505&ch=SBX&cid=_whitepaper_14.500005852&_mc=_whitepaper_14.500005852)* [The State of Asset Security: Uncovering Alarming Gaps -& Unexpected Exposures](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_runz05&ch=SBX&cid=_whitepaper_14.500005848&_mc=_whitepaper_14.500005848)* [The State of Cloud Native Security Report 2024](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo245&ch=SBX&cid=_whitepaper_14.500005832&_mc=_whitepaper_14.500005832)[More Whitepapers](/resources?types=Whitepaper)
Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 33 – Manufacturing – Metal
Electronics And Other
CVE-2018-13379
CVE-2022-40684
Blog: Dark Reading
Software Discovery: Security Software Discovery
Software Discovery
Exploit Public-Facing Application
File and Directory Discovery
Associated Indicators: