A new hacking group called Belsen Group has dumped data containing IP addresses, firewall configurations, and plaintext VPN credentials from over 15,000 FortiGate firewalls. This breach is particularly alarming for MSPs and IT professionals who rely on FortiGate firewalls to secure client environments.
Key Takeaways:
- Over 54% of the compromised firewalls are still online and accessible as of January 2025.
- The breach is linked to CVE-2022–40684, a critical authentication bypass vulnerability that attackers exploited to steal firewall configurations.
Here’s a closer look at what happened, the risks involved, and how MSPs and IT professionals can protect their networks.
Background and Timeline
Who is the Belsen Group?
A relatively new cybercriminal group recently leaked 1.6GB of FortiGate firewall configurations, organized by country and IP address.
How Was the Data Obtained?
Cybersecurity researcher Kevin Beaumont linked this attack to CVE-2022–40684, a critical authentication bypass zero-day vulnerability disclosed by Fortinet in October 2022. Attackers exploited this flaw to extract configuration files and steal credentials.
Why Does It Matter Now?
Even though this data dates back to 2022, firewall configurations often remain unchanged unless an organization has actively responded to a known breach / rotated login credentials. This means that credentials and firewall rules from 2022 could still be valid.
Scope of Exposure
Major Findings:
- 54% of the leaked IPs remain online and reachable (as of January 2025).
- 33% of these IPs still expose FortiGate login interfaces
- A community-driven GitHub repository is tracking the leaked IPs:
🔗 Leaked IP List
How to Check If You’re Affected
1. Compare Your IP Addresses
Check your IP inventory against the leaked IP list:
🔗 Leaked IP List
2. Guardz Trial Users Get a Free Check
Guardz offers a free vulnerability assessment during its trial period. We’ll check if your organization appears in the leaked data and provide Dark Web monitoring to detect other breaches.
Recommended Remediations
1. Patch & Update Immediately
- For FortiOS 7.0.x → Update to 7.0.16+
- For FortiOS 7.2.x → Update to 7.2.12+
- For CVE-2024-55591 → Follow Fortinet’s guidance to upgrade to 7.0.17+ or 7.2.13+
2. Rotate Credentials
- Immediately change all FortiGate passwords.
- Enforce multi-factor authentication (MFA) on all remote-access VPNs and admin portals.
3. Remove Public-Facing Admin Pages
- Restrict management interfaces to internal networks or secure VPN connections.
- Exposing admin interfaces to the public internet makes them easy targets for brute-force attacks and zero-day exploits.
4. Monitor for Unauthorized Activity
- Review firewall logs for suspicious logins or configuration changes.
- Track inbound connections from unknown or suspicious IP addresses.
How Guardz Supports You
1. Free Leak & Dark Web Checks
During our trial, we scan for any leaked IPs or credentials associated with your organization. We also provide Dark Web monitoring to stay ahead of new threats.
2. Actionable Insights
Our platform offers step-by-step remediation guidance, including:
- Enforced password resets.
- Security configuration suggestions, such as MFA enforcement.
Conclusion
This FortiGate firewall breach highlights the urgent need for proactive cybersecurity measures. Even though this stolen data is from 2022, many organizations haven’t refreshed credentials or firewall settings, leaving them exposed.
If you suspect your FortiGate devices have been compromised—or if you want expert guidance on securing your infrastructure—reach out to Guardz.
We’re here to help you navigate this breach, protect your assets, and keep your clients’ networks secure.
💡 Stay safe,
The Guardz Team
- Share On:
Written by
Jordan is a Cybersecurity Content Creator and community builder. He has written for many cybersecurity companies and knows more stats about a data breach than IBM.