Belsen Group Leaks 15,000+ FortiGate Firewall Configurations

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn how to mitigate risks and protect your systems.

A new leak from a threat actor group dubbed Belsen Group or (Belsen_Group) has exposed configurations from over 15,000 FortiGate firewalls, threatening organizations that use these devices, as it could allow attackers to gain access to sensitive systems and bypass defences. The US, UK, Poland, and Belgium have the highest number of victims, followed by France, Spain, Malaysia, Netherlands, Thailand, and Saudi Arabia.

Research by CloudSEK’s contextual AI digital risk platform XVigil reveals that in 2022, the Belsen Group breached a zero-day vulnerability, leaking over 15,000 Fortigate firewall configurations. The leaked information includes usernames, passwords (some in plain text), device management digital certificates, and all firewall rules. This data gives attackers a treasure trove of information that they can exploit.

Belsen Group on Breach Forums and its dark web leak site (Screenshot Hackread.com)

Exposed usernames and passwords, especially those in plain text, can be used by attackers to directly access sensitive systems on your network. Even if you patched the vulnerability (CVE-2022-40684) in 2022, it is crucial to check for signs of compromise since this was a zero-day exploit. Leaked firewall configurations reveal your internal network structure, potentially allowing attackers to identify weaknesses and bypass security measures.

Breached digital certificates could allow unauthorized access to devices or impersonation during secure communications. What’s even more concerning is that organizations that patched the vulnerability after the initial disclosure in 2022 might still be at risk if attackers gained access before the patch was applied.

****Belsen Group’s Motives and History****

While the Belsen Group appears to be new on the hacking forum scene, the leaked data suggests they’ve been around for at least three years. Researchers believe they were likely part of a group that exploited a zero-day vulnerability (CVE-2022-40684) in FortiGate firewalls in 2022. After potentially using or selling the access gained through the exploit, they’ve now resorted to leaking the data in 2025.

To mitigate risks arising from such leaks, it is essential to update all device and VPN credentials, especially those listed in the leaked data, and implement strong passwords. Audit and reconfigure firewalls to identify vulnerabilities and tighten access controls. Rotate compromised digital certificates to ensure secure communication.

Additionally, determine the timeline for patching CVE-2022-40684 in your organization, conduct forensic analysis on compromised devices, and monitor your network for unusual activity. These steps will help protect your network and reduce potential risks.

CloudSEK has created a useful resource for organizations to check if any network is part of the exposed IPs after analysing data, which is available here.

1. UNC5820 Exploits FortiManager Zero-Day Vulnerability
2. CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
3. Hackers Exploiting 0-day Vulnerability in Fortinet Products
4. Hackers leak login credentials of vulnerable Fortinet SSL VPNs
5. Hackers dump login credentials of Fortinet VPN users in plain-text