In a recent cybersecurity incident, over 15,000 configurations of FortiGate firewalls have been leaked by a threat actor group known as Belsen Group or Belsen_Group. This leak has raised concerns for organizations globally as it exposes them to potential cyber attacks that could compromise their systems and sensitive data. The leak has affected victims mainly in the US, UK, Poland, Belgium, France, Spain, Malaysia, Netherlands, Thailand, and Saudi Arabia.
According to research conducted by CloudSEK’s contextual AI digital risk platform XVigil, the Belsen Group exploited a zero-day vulnerability in 2022 to breach the FortiGate firewalls and extract the configurations. The leaked data includes usernames, passwords (some in plain text), device management digital certificates, and firewall rules. This valuable information provides attackers with the means to infiltrate networks, access sensitive systems, and bypass security measures.
The exposure of usernames and passwords, especially in plain text, poses a significant risk as attackers can use this information to directly access sensitive systems within an organization’s network. Even if the CVE-2022-40684 vulnerability was patched in 2022, organizations must remain vigilant for signs of compromise as this was a zero-day exploit. The leaked firewall configurations also reveal the internal network structure, potentially aiding attackers in identifying vulnerabilities and circumventing security protocols.
Breached digital certificates further compound the risk by enabling unauthorized access to devices or facilitating impersonation during secure communications. Organizations that applied the patch after the initial disclosure in 2022 may still be at risk if attackers gained access before the patch was implemented.
Despite being a relatively new presence in the hacking forum scene, the Belsen Group’s leaked data indicates that they have been active for at least three years. It is believed that they were involved in exploiting the CVE-2022-40684 vulnerability in FortiGate firewalls in 2022, followed by the recent leak of data in 2025. To mitigate the risks associated with such leaks, organizations are advised to update all device and VPN credentials, strengthen passwords, audit and reconfigure firewalls, and rotate compromised digital certificates.
It is crucial for organizations to assess their timeline for patching vulnerabilities, conduct forensic analysis on compromised devices, and monitor network activity for any anomalies. Taking proactive measures will help protect networks and reduce potential risks of cyber attacks. CloudSEK has provided a resource for organizations to check if their network is part of the exposed IPs, which can be accessed here.
In conclusion, the exposure of FortiGate firewall configurations by the Belsen Group underscores the importance of robust cybersecurity measures and proactive risk mitigation strategies. Organizations must remain vigilant, update their security protocols, and stay informed about emerging threats to safeguard their systems and data from cyber attacks.