Old Vulnerability (CVE-2022–40684) Leads to Massive FortiGate Data Breach, Exposing 15,000+ Devices

Filip Dimitrov

January 17, 2025

The Belsen Group, a newly surfaced threat actor, has leaked sensitive data from over 15,000 Fortinet FortiGate devices. The data was originally stolen in 2022 by exploiting the zero-day vulnerability CVE-2022–40684 and was recently leaked on a Tor website which made it freely available.

The stolen data includes plaintext VPN credentials, configuration files, IP addresses, private keys, and firewall rules. 

Overview of CVE-2022–40684

The vulnerability, disclosed in October 2022, allowed attackers to bypass administrative authentication via specially crafted HTTP/HTTPS requests.

Affected firmware versions:

  • FortiOS: 7.0.0–7.0.6 and 7.2.0–7.2.1
  • FortiProxy: 7.0.0–7.0.6 and 7.2.0
  • FortiSwitchManager: 7.0.0 and 7.2.0

The exploitation involved adding a rogue super_admin account named fortigate-tech-support to compromised devices.

Leaked Data Details

A 1.6 GB archive organized by country and IP address contains:

  • config.conf files: Full FortiGate configurations, including private keys and firewall rules.
  • vpn-passwords.txt: Plaintext VPN credentials.

The majority of devices are located in Mexico (1,603), USA (679), and Germany (208).

Operational Timeline

Data exfiltration occurred in October 2022, before the release of firmware patches. The leak was publicized over two years later in January 2025, providing attackers with a substantial window for exploitation.

Impact and Risks

  • Exposure of plaintext credentials and firewall rules poses significant risks to network integrity.
  • Even patched devices may remain vulnerable if credentials and configurations were not updated.
  • Private keys could enable man-in-the-middle attacks, while detailed firewall configurations offer attackers insights into network defenses.

Recommendations

OP Innovate recommends the following actions to mitigate the threat from CVE-2022–40684:

  1. Conduct an inventory to identify FortiGate devices affected by the vulnerability and update their firmware to secure versions:
    • FortiOS: 7.2.2 or higher
    • FortiProxy: 7.2.1 or higher
    • FortiSwitchManager: 7.2.1 or higher
  2. Rotate credentials for VPNs and administrative accounts on all FortiGate devices
  3. Implement continuous monitoring for unauthorized access and configuration changes.
  4. Audit exposed configurations for potential backdoors or residual vulnerabilities.

For long-term resilience against similar threats, consider enforcing strong password and two-factor authentication policies.

Stay Secure. Stay Informed.

OP Innovate Research Team.