Imagine waking up to find your company’s firewall credentials, VPN logins, and network configurations plastered online. For over 15,000 organizations, this nightmare became reality in early 2025 when a group called Belsen Group dumped a massive cache of stolen Fortinet firewall data. Let’s break down what happened, why it matters, and—most importantly—how to check if your organization is caught in the crossfire.
On January 16, 2025, Belsen Group dropped a bombshell: configuration files, VPN credentials, and firewall rules from 15,474 Fortigate devices. The data included:
This wasn’t a new hack. Attackers exploited CVE-2022-40684, a critical FortiOS vulnerability patched back in 2022. But as one Mastodon user quipped: “Running FortiOS 7.6 in 2022 wasn’t a good idea for network stability.” Many organizations ignored updates, leaving doors wide open.
Security researchers, including Vito Rallo andBryan de Houwer from Crimson7, have verified the authenticity of the leakeddata. Additionally, a journalist from Heise confirmed the validity of a VPNaccount password with an affected organization.
If you’re sweating right now, you’re not alone. The leak spans governments, corporations, and small businesses. Oddly, Iran’s devices are missing (despite thousands being exposed), and Russia has just one entry in Crimea. Researchers like Crimson7 confirmed the data’s authenticity by matching device serial numbers to Shodan listings.
So, how do you check if your org is included?
Crimson7 built FortiScan, a free tool to query the leaked data. Plug in your domain, IP range, or company name, and it’ll tell you if your firewall credentials are floating in the dump. No more guessing games.
👉 Check now: https://fortiscan.crimson7.io
FortiScan will check your organisation starting from your email address and domain. We only report back via email, not to store your email but to make sure that you belong to the organisation you are querying for.
First provide your email in this form:
Then confirm if all the info are correct before launching the investigation. Make sure everything on this page is correct:
After confirming on this page, you will receive an email with a report. The report contains the output of 3 queries:
1) query with the entity name against all the organisation owning IPs in the leaked list of victims. Most likely your provide is here unless you own your own registered segment.
2) query by domain name, checking any trace of your domain into configuration files (e.g. on an email).
3) the tool will search all the possible active subdomains and additional domains that belong to your organisation, resolve their IP and check if the IP is included in the leak. In the report email you can find a link to download the list of subdomains and domains used for the query.
*** NOTE *** if you get an error, the workflow process on the backend might fail, please do not insist. Rates are limited, don't lock yourself out. We hope that the workflow will produce a good report, if something goes wrong, understand it might happen, feel free to reach out (info@crimson7.io).
This leak isn’t just about stolen passwords. It’s a blueprint for attacks. Hackers can:
As one IT pro on Mastodon warned: “If you think you’re on the list, just roll creds anyway.”
The Fortigate configuration leak serves as a stark reminderof the persistent threats facing network infrastructure and the potential forlong-term consequences from unaddressed vulnerabilities. It emphasizes the needfor organizations to maintain vigilant cybersecurity practices and respondswiftly to security advisories.
We are after something special: a talented team of experts, offensive research and tailored technical expertise, adversary-focused security, intelligence, tools, and technology for clients and partners.
