15,000 FortiGate Devices Compromised as Hackers Leak VPN Credentials and Configurations

• Novel Belsen Group hackers published access details of more than 15,000 FortiGate devices on the dark web.
• Sensitive information such as IPs, private keys, firewall rules, and more are available for download.
• The list reveals the threat actor has compromised devices from several countries.

A new hacking group, "The Belsen Group," has leaked sensitive data from over 15,000 FortiGate devices on the dark web, exposing configuration files, IP addresses, and VPN credentials. The leaked data is free for download on the hackers' Tor-based website.  

The leaked data includes detailed FortiGate configurations (.conf files) and VPN credentials, some in plaintext, alongside sensitive information such as private keys and firewall rules. Each breached device’s data is categorized by IP address in a 1.6GB archive sorted by country.  

Cybersecurity expert Kevin Beaumont has confirmed the data aligns with exploits tied to the CVE-2022–40684 vulnerability—an authentication bypass flaw in FortiOS, FortiProxy, and FortiSwitchManager that surfaced in October 2022. The exploitation was traced back to this flaw during incident response. 

Although Fortinet released a patch for this vulnerability with FortiOS version 7.2.2, the affected devices predominantly operated on outdated firmware, such as FortiOS 7.0.0–7.0.6 and 7.2.0–7.2.2.

Both security experts and Fortinet have stressed the urgency for organizations using these devices to immediately update outdated firmware and reset passwords exposed in these leaks.  

Kevin Beaumont plans to publish a list of affected IP addresses, enabling administrators to verify if their FortiGate devices are compromised and take prompt remedial actions.  

In November, a critical flaw in Fortinet's FortiClient for Windows allowed DEEPDATA malware to steal VPN credentials. Security researchers attributed the zero-day exploit to a cyber espionage group dubbed BrazenBamboo.