On 14 January 2025, the Belsen Group hacker collective published over 15,000 FortiGate credentials - including IP addresses, plaintext passwords, and configuration file contents - on a Tor-hosted cybercriminal forum. The data is believed to have been collected in 2022 by exploiting CVE-2022-40684 (Common Vulnerabilities and Exposures), a critical FortiOS authentication bypass vulnerability with a CVSS score of 9.8.
What credentials did the Belsen Group leak?
On January 14th, the Belsen Group published credentials for over 15,000 Fortinet FortiGate devices on a Tor-hosted cybercriminal forum, according to reporting by Bleeping Computer and The Record by Recorded Future. FortiGate appliances are commonly deployed as VPN gateways, meaning compromised credentials provide direct tunnel access into a corporate network without needing to exploit any additional vulnerability - making FortiGate credentials especially valuable for facilitating initial access into an organisation's internal network.
The Belsen Group stated in their forum post that the credentials were released free of charge to establish reputation within the criminal community.
Security researcher Kevin Beaumont, writing on his DoublePulsar blog, identified that the configuration files within the leaked data point to FortiOS versions 7.0.0-7.0.6 and 7.2.0-7.2.2, placing the original exfiltration campaign in 2022. At that time, a critical vulnerability tracked under CVE-2022-40684 was being actively exploited in the wild. This Fortinet authentication bypass flaw allows a remote, unauthenticated attacker to perform operations on the administrative interface of FortiGate appliances via specially crafted HTTP or HTTPS requests - with a CVSS v3.1 score of 9.8 (Critical). CISA added CVE-2022-40684 to its Known Exploited Vulnerabilities catalogue on 11 October 2022, and the KEV entry explicitly confirms the vulnerability has been used in ransomware campaigns. Fortinet's own advisory confirmed that exploitation was used to download configuration files from targeted devices and to add a malicious super_admin account named fortigate-tech-support.
The affected version ranges confirmed by the live Fortinet advisory (FG-IR-22-377) are as follows:
CVE-2022-40684: Affected Products and Versions
| Product | Affected Versions | Fixed Version | Action Required |
|---|---|---|---|
| FortiOS 7.0 | 7.0.0 through 7.0.6 | 7.0.7 or above | Patch AND rotate all admin/VPN credentials |
| FortiOS 7.2 | 7.2.0 through 7.2.1 | 7.2.2 or above | Patch AND rotate all admin/VPN credentials |
| FortiProxy 7.0 | 7.0.0 through 7.0.6 | 7.0.7 or above | Patch AND rotate all admin/VPN credentials |
| FortiProxy 7.2 | 7.2.0 | 7.2.1 or above | Patch AND rotate all admin/VPN credentials |
| FortiSwitchManager 7.0 | 7.0.0 | 7.0.1 or above | Patch AND rotate all admin/VPN credentials |
| FortiSwitchManager 7.2 | 7.2.0 | 7.2.1 or above | Patch AND rotate all admin/VPN credentials |
Patches were released by Fortinet in October 2022. FortiOS 6.x branches and FortiProxy 1.x and 2.0 are not affected. Note: FG-6000F and 7000E/F series platforms require FortiOS 7.0.5 B8001 or above rather than the standard 7.0.7 path.
The leaked configuration files contain fields including admin usernames, encrypted and in some cases plaintext VPN user credentials, interface IP assignments, and VDOM configuration data. For an attacker, this provides initial access credentials. It also provides a pre-drawn network map, reducing reconnaissance effort to near zero.
How many FortiGate devices are at risk from this leak?
As of January 2025, a Shodan search using product:"FortiGate" country:"GB" returns over 9,000 results across UK organisations, spanning a wide range of industries, sectors and sizes. This figure changes over time and should be verified against a current Shodan query at the point of reading.
It is important to distinguish between two categories of exposure here. Fully unpatched devices - those still running FortiOS versions 7.0.0-7.0.6 or 7.2.0-7.2.1 - remain directly exploitable via CVE-2022-40684 and represent the highest-risk group. However, patched devices are not automatically safe: if admin or VPN credentials were captured during the 2022 exploitation campaign and have not since been rotated, those credentials are now publicly available in the Belsen Group leak regardless of the device's current patch state.
While patching FortiGate devices has been a priority for most organisations over the past two years, credential rotation is frequently overlooked, meaning even patched devices may still be at risk from credentials captured in this 2022 campaign.
How can you check if your FortiGate credentials were compromised?
Checking for exposure involves several steps: comparing the leaked IP address list against your organisation's external IP estate, reviewing your FortiOS version history to determine whether your devices were running an affected version in 2022, and rotating all administrator and VPN user credentials regardless of current patch status. Even if your FortiGate has been patched since 2022, any credentials in use at the time of exploitation should be treated as compromised.
For organisations seeking firewall credential leak remediation support, please reach out to info@precursorsecurity.com.
Precursor also offers a suite of relevant services, including Incident Response, 24x7 Managed SOC for UK Organisations (CREST (Council of Registered Ethical Security Testers)), and Penetration Testing (CREST).