A hacker group has leaked data associated with roughly 15,000 Fortinet firewalls and an analysis has shown that it was likely obtained back in 2022 through the exploitation of a vulnerability.

The hackers who leaked the data are calling themselves Belsen Group and they claim this is their “first official operation”. They announced on January 14 that the data is available for free, saying that it contains IPs, passwords and configurations associated with 15,000 Fortinet devices located around the world. 

Security researcher Kevin Beaumont has analyzed the leaked files and confirmed that the data is genuine after mapping it to internet-exposed Fortinet devices that are visible on the Shodan search engine.

The dumped data is classified based on country of origin, with each record containing an IP address, full configuration data, and plaintext credentials. The exposed information includes usernames, passwords, device management certificates, and firewall rules.

Based on the analysis of the leaked data and a device owned by one of the affected organizations, Beaumont determined that it was apparently collected in October 2022, likely through the exploitation of CVE-2022–40684.

The existence of CVE-2022–40684 came to light in October 2022, when Fortinet admitted that the zero-day had been exploited in at least one attack. 

A few days after disclosure, a proof-of-concept (PoC) exploit was made public and exploitation started increasing. Fortinet at the time urged customers to take immediate action after seeing that many devices had remained unpatched.

Roughly a month and a half after CVE-2022–40684 was disclosed, a security firm warned that cybercriminals had been selling access to enterprise networks likely compromised through the exploitation of this vulnerability. 

Beaumont noted that the leaked files could still pose a risk to organizations as two-year-old data is “not very old” and “many of the devices are still online and reachable”. 

“Even if you patched back in 2022, you may still have been exploited as the configs were dumped years ago and only just released — you probably want to find out when you patched this vuln. Having a full device config including all firewall rules is… a lot of information,” the researcher advised Fortinet customers.

SecurityWeek has reached out to Fortinet for comment and will update this article if the company responds. 

The news comes shortly after Fortinet confirmed that a zero-day vulnerability tracked by the company as CVE-2024-55591 has been exploited in attacks, reportedly since at least November 2024. 

Related: Fortinet Patches Critical FortiWLM Vulnerability

Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched

Related: Citrix, Cisco, Fortinet Zero-Days Among 2023’s Most Exploited Vulnerabilities