A recent leak of over 15,000 Fortigate firewall configurations has raised concerns about the security of devices vulnerable to CVE-2024-55591 and CVE-2022-40684. The threat actor known as “Belsen_Group” is believed to have exploited these vulnerabilities and subsequently leaked the configurations in January 2025. Organizations are urged to check their exposure and take necessary mitigation steps. Affected: Fortigate firewalls
Keypoints :
- New zero-day vulnerability CVE-2024-55591 discovered in Fortigate devices.
- Previous vulnerability CVE-2022-40684 also involved authentication bypass through alternate paths.
- Over 15,000 Fortigate firewall configurations leaked by the threat actor “Belsen_Group”.
- Leaked data includes usernames, passwords, and firewall rules, posing significant security risks.
- Organizations are advised to audit and reconfigure their firewalls and change credentials immediately.
MITRE Techniques :
- TA0001 – Initial Access: Exploitation of CVE-2022-40684 to gain access to Fortigate firewalls.
- TA0002 – Execution: Use of leaked configurations to execute unauthorized commands on compromised devices.
- TA0003 – Persistence: Maintaining access through compromised credentials and configuration settings.
- TA0004 – Privilege Escalation: Exploiting vulnerabilities to gain higher privileges within the network.
- TA0005 – Defense Evasion: Leaking firewall configurations to bypass security measures.
Indicator of Compromise :
- [url] https://pastebin.com/mffLfcLp
- [others ioc] Belsen_Group
- [others ioc] CVE-2024-55591
- [others ioc] CVE-2022-40684
- Check the article for all found IoCs.
Full Research: https://www.cloudsek.com/blog/15k-fortigate-firewall-configs-leaked-by-belsen-group-dumped-using-zero-day-in-2022