Security Advisory: Fortinet BreachForums Dump

Executive Summary

On January 14th, Beazley Security Labs observed an advertisement posted to the cybercrime community BreachForums, detailing a dump of configuration files and passwords from over 15 thousand Fortinet network appliances.

On investigation, Beazley Security Labs confirmed the data leaked contains external IP addresses of Fortinet firewalls, passwords, and firewall configurations. Configuration data is divided by country code, and then subsequently by public IP address and management port.

Beazley Security Labs analyzed some of the entries in the dataset and confirmed IP addresses and configuration data within the dump could be correlated by matching both model and serial numbers present in dumped configurations. HTTP headers stored by Shodan, a widely used public cyber security scanning tool, were cross-referenced to validate serial number information. This finding increases confidence that the data provided in these dumps is legitimate. Username and password pairs were also found in clear-text files alongside the configuration files in most samples analyzed.

Security researcher Kevin Beaumont posted the following article attributing the data collection in this breach post to an older Fortinet vulnerability that was originally disclosed in 2022 (CVE-2022-40684). The referenced vulnerability outlines an authentication bypass condition which allows an unauthenticated attacker to pass commands to a vulnerable Fortinet device via the HTTPS management interface. The vulnerability was known to be exploited in the wild and could be used to download config files from targeted devices.

Beazley Security Labs cannot attribute the leaked Fortinet data to exploitation of CVE-2022-40684 at the time of this assessment, however it cannot be discounted this vulnerability could have been used as an initial access vector given analysis performed by Kevin Beaumont.

Firewalls compromised in this dump may have already been patched to mitigate exploitation of CVE-2022-40684 since the vulnerability was made public in 2022, however, configuration data dumped contained parsed clear-text credentials in many of the samples evaluated. Leaked credentials could be used by opportunistic attackers to gain initial access into perimeter devices if they have not yet been rotated.

Labs advises that any impacted organizations immediately change VPN and admin passwords and ensure they are running the latest available FortiOS software. If not up to date on patches, Fortinet has provided an online upgrade tool to provide recommended upgrade paths specific to each product model. Labs also recommends that any administrative interfaces be connected to a network segment that is not accessible from the internet.  Ideally, only allow network traffic from a dedicated management segment for any network and security appliances.

A list of impacted IP addresses can be found in a public GitHub repo provided by “arsolutioner” here for review. If a Fortinet management interface is found within the list, it is strongly recommended that any credentials be rotated and any management interfaces be removed from the internet and that a forensic investigation be performed, if possible.

Indicators of Compromise (IOC)

Indicators of compromise specific to exploitation of CVE-2022-40684 include observation of user “Local_Process_Access” downloading local configurations, as shown in this screenshot provided on Fortinet’s blog.  

The search parameter “User = local_process_access” is demonstrated to illustrate the attack, showing System configs being downloaded in the Message column below:

Additional indicators of compromise related to CVE-2022-40684 can be found on the FortiGuard article posted here.

Technical Details

The only information provided in the dump was stolen credentials and device configuration files. There is no practical way to definitively attribute this breach of data to CVE-2022-40684 at the time of this assessment.

How Beazley Security is Responding

Beazley Security is working with possible impacted clients found in the dataset to verify if their devices are impacted and determine next steps.

Sources

• https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/
• https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-configs-somebody-just-released-them-a7a74e0b0c7f
• https://www.fortiguard.com/psirt/FG-IR-22-377
• https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684