Rapid7 is investigating two separate events affecting Fortinet firewall customers, including a zero-day exploitation of CVE-2024-55591 and a dark web post from a threat actor who looks to have published IPs, passwords, and configuration data from 15,000 FortiGate firewalls.
On Wednesday, January 15, 2025, a threat actor named Belsen Group published a trove of Fortinet FortiGate firewall data on the dark web, allegedly from 15,000 organisations. The data released included IP addresses, passwords, and firewall configuration information. It is a potentially significant risk for organisations whose data was leaked.
Security researcher Kevin Beaumont has an initial analysis of the leaked data, along with his assessment that the data leaked this week appears to be from 2022. After Rapid7 conducted its own outreach to potentially affected organisations, the cybersecurity company has also confirmed that at least some of the leaked data originated from 2022 incidents where customer firewalls were compromised. Based on Beaumont’s analysis and observations from Rapid7’s investigations, it’s likely that the data dump published by the threat actor contains primarily or entirely older data.
Rapid7 has not attributed the data leak to a specific CVE at this time. Beaumont said his observations from incident responses indicate that CVE-2022-40684 (a Fortinet firewall zero-day flaw from 2022) may have been the initial access vector that allowed for the large-scale firewall data leak.
Separately, on January 14, 2025, Fortinet disclosed CVE-2024-55591, a new zero-day vulnerability affecting FortiOS and FortiProxy. Security firm Arctic Wolf had previously published a blog on threat activity targeting Fortinet firewall management interfaces exposed to the public internet, saying that a zero-day vulnerability is likely, but an initial access vector had not been confirmed.
According to Arctic Wolf, the campaign “involved unauthorised administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.”
Fortinet’s advisory for CVE-2024-55591 includes indicators of compromise and notes that the vulnerability was reported as exploited in the wild at time of disclosure. No individual or firm is explicitly credited for discovering the vulnerability in Fortinet’s advisory, and Fortinet has not confirmed that CVE-2024-55591 is the zero-day vulnerability Arctic Wolf speculated was being leveraged threat activity.
Rapid7 MDR threat hunters have observed activity from IP addresses publicly attributed to the threat campaign targeting CVE-2024-55591. However, the team has so far only noted connections consistent with scanning or reconnaissance activity and not exploitation.
Zero-day vulnerabilities in Fortinet FortiOS, the operating system that runs on FortiGate firewalls, have been a relatively common occurrence in recent years and have been leveraged in various financially motivated, state-sponsored, and other attacks. In addition to CVE-2024-55591, prominent FortiOS zero-day flaws have included:
-
CVE-2024-21762, an out-of-bounds write disclosed February 2024;
-
CVE-2023-27997, a heap-based buffer overflow disclosed June 2023;
-
CVE-2022-42475, a heap-based buffer overflow disclosed December 2022;
-
CVE-2022-40684, an authentication bypass (CWE-288) disclosed October 2022; and
-
CVE-2018-13379, while not a zero-day, was disclosed in 2019 and allowed attackers to download SSL-VPN system files and steal credentials. It was consistently exploited in the years following disclosure despite a wide range of warnings and publicly available information on known threat activity.
-
Fortinet FortiOS 7.0.0 through 7.0.16 (fixed in 7.0.17 or above);
-
Fortinet FortiProxy 7.2.0 through 7.2.12 (fixed in 7.2.13 or above); and
-
Fortinet FortiProxy 7.0.0 through 7.0.19 (fixed in 7.0.20 or above).
Per Fortinet, other versions of FortiOS (6.4, 7.2, 7.4, 7.6) and FortiProxy (2.0, 7.4, 7.6) are not affected.
Customers should update to a fixed version immediately, without waiting for a regular patch cycle to occur, and review Fortinet’s indicators of compromise to aid investigations into suspicious activity. Indicators include examples of administrative or local users added by adversaries.
Customers should also ensure that firewall management interfaces are not exposed to the public internet and limit IP addresses that can reach administrative interfaces. If your organisation was impacted by the January 15, 2025 FortiGate firewall data leak, you should change administrative and local user passwords immediately. FortiOS also supports multi-factor authentication for local user accounts, which Rapid7 strongly recommends implementing.
