What MSPs Need to Know About the Fortigate Leaked Credentials 

A new hacking group called Belsen Group has dumped data containing IP addresses, firewall configurations, and plaintext VPN credentials from over 15,000 FortiGate firewalls. This breach is particularly alarming for MSPs and IT professionals who rely on FortiGate firewalls to secure client environments.

Key Takeaways:

  • Over 54% of the compromised firewalls are still online and accessible as of January 2025.
  • The breach is linked to CVE-2022–40684, a critical authentication bypass vulnerability that attackers exploited to steal firewall configurations.

Here’s a closer look at what happened, the risks involved, and how MSPs and IT professionals can protect their networks.


Background and Timeline

Who is the Belsen Group?

A relatively new cybercriminal group recently leaked 1.6GB of FortiGate firewall configurations, organized by country and IP address

How Was the Data Obtained?

Cybersecurity researcher Kevin Beaumont linked this attack to CVE-2022–40684, a critical authentication bypass zero-day vulnerability disclosed by Fortinet in October 2022. Attackers exploited this flaw to extract configuration files and steal credentials.

Why Does It Matter Now?

Even though this data dates back to 2022, firewall configurations often remain unchanged unless an organization has actively responded to a known breach / rotated login credentials. This means that credentials and firewall rules from 2022 could still be valid.


Scope of Exposure

Major Findings:

  • 54% of the leaked IPs remain online and reachable (as of January 2025).
  • 33% of these IPs still expose FortiGate login interfaces 
  • A community-driven GitHub repository is tracking the leaked IPs:
    🔗 Leaked IP List

How to Check If You’re Affected

1. Compare Your IP Addresses

Check your IP inventory against the leaked IP list:
🔗 Leaked IP List

2. Guardz Trial Users Get a Free Check

Guardz offers a free vulnerability assessment during its trial period. We’ll check if your organization appears in the leaked data and provide Dark Web monitoring to detect other breaches.


Recommended Remediations

1. Patch & Update Immediately

  • For FortiOS 7.0.x → Update to 7.0.16+
  • For FortiOS 7.2.x → Update to 7.2.12+
  • For CVE-2024-55591 → Follow Fortinet’s guidance to upgrade to 7.0.17+ or 7.2.13+

2. Rotate Credentials

  • Immediately change all FortiGate passwords.
  • Enforce multi-factor authentication (MFA) on all remote-access VPNs and admin portals.

3. Remove Public-Facing Admin Pages

  • Restrict management interfaces to internal networks or secure VPN connections.
  • Exposing admin interfaces to the public internet makes them easy targets for brute-force attacks and zero-day exploits.

4. Monitor for Unauthorized Activity

  • Review firewall logs for suspicious logins or configuration changes.
  • Track inbound connections from unknown or suspicious IP addresses.

How Guardz Supports You

1. Free Leak & Dark Web Checks

During our trial, we scan for any leaked IPs or credentials associated with your organization. We also provide Dark Web monitoring to stay ahead of new threats.

2. Actionable Insights

Our platform offers step-by-step remediation guidance, including:

  • Enforced password resets.
  • Security configuration suggestions, such as MFA enforcement.

Conclusion

This FortiGate firewall breach highlights the urgent need for proactive cybersecurity measures. Even though this stolen data is from 2022, many organizations haven’t refreshed credentials or firewall settings, leaving them exposed.

If you suspect your FortiGate devices have been compromised—or if you want expert guidance on securing your infrastructure—reach out to Guardz.

We’re here to help you navigate this breach, protect your assets, and keep your clients’ networks secure.

💡 Stay safe,
The Guardz Team

Categories:

Jordan is a Cybersecurity Content Creator and community builder. He has written for many cybersecurity companies and knows more stats about a data breach than IBM.

Subscribe to
Our Newsletter.

A person sits in a futuristic control room, resembling an archive, with large screens displaying stars and planets, suggesting space. The background features abstract mountain outlines under a pale sky with a moon.

Guardz, Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.
Holistic Protection.
Hassle-Free.
Cost-Effective.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

A silhouetted astronaut figure stands in an open door frame, like an exit popup against the cosmos, facing a starry sky with a distant planet in view, contrasting with a plain, stark interior.
Graphic showing several yellow envelopes with letters, one red envelope marked by a red exclamation triangle, on a purple background with circuit lines. Green shield icons are on some envelopes, indicating security against cyber risks.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

Illustration of yellow envelopes with documents against a purple backdrop. Red warning icons with exclamation marks suggest potential cyber risks. Circuit-like lines enhance the background, reminiscent of a Cyber Risk Prospecting Report alert.
Illustration of yellow envelopes on a purple background, with two red envelopes marked by exclamation points, indicating cyber risk warnings. Green shield icons adorn some envelopes, while a radar-like pattern enhances the sense of alertness in the background.