In just the past two weeks, the ColorTokens Threat Advisory Team has tracked major data breaches, rootkit infections, and critical vulnerabilities across Windows, Office, SharePoint, IoT devices, and widely used security appliances. In this blog, we break down what happened, who’s affected, and what you can do to stay protected.
Let’s dive in.
1. Esse Health Data Breach: 263,000+ Patient Records Compromised
The healthcare sector has faced a steady wave of cyberattacks in recent years. In April 2025, Esse Health, a major physicians’ group in St. Louis, Missouri, fell victim to a breach that took down its network and phone systems.
By June, operations were restored. But the damage was done. Over 263,000 patients were notified that their personal and medical data may have been accessed and stolen. The breach exposed sensitive information like names, birth dates, medical record numbers, and insurance details. But not social security numbers or EMR data, according to the company.
Esse Health hasn’t confirmed whether ransomware was involved, but given the multi-week disruption and data theft, many signs point in that direction. As of today, no group has claimed responsibility.
Discover why ColorTokens earned a ‘Superior’ rating for Healthcare Security in the Forrester Wave™ Microsegmentation Report.
2. Windows, Office, and SharePoint Hit by Critical Vulnerabilities
July’s Patch Tuesday was a big one, especially for Microsoft environments. Three major CVEs were disclosed and patched:
- CVE-2025-47981 (CVSS 9.8): A heap-based buffer overflow in Windows’ SPNEGO Extended Negotiation mechanism. This could let attackers execute arbitrary code over the network. Affects Windows 10 (1607+) and all supported Windows Server versions.
- CVE-2025-49697 (CVSS 8.4): A Remote Code Execution (RCE) vulnerability in Microsoft Office, triggered through the Preview Pane. Yes—just previewing a malicious file could compromise the system.
- CVE-2025-49704 (CVSS 8.8): A SharePoint RCE flaw that was originally exploited in a Pwn2Own chain.
All three vulnerabilities were patched as part of the July 2025 updates. If your team hasn’t already rolled out these patches, do it now.
Microsegmentation helps contain threats by preventing lateral movement inside your network. Understand the approach.
3. SonicWall SMA Devices Compromised by OVERSTEP Rootkit
One of the more advanced threats this month involves SonicWall’s SMA 100 series appliances. These devices—used for secure remote access—were targeted by a threat actor known as UNC6148, who deployed a stealthy backdoor rootkit called OVERSTEP.
Even though the affected appliances were fully patched, they were also end-of-life—meaning SonicWall no longer supports them.
The attackers managed to:
- Steal credentials
- Deploy the OVERSTEP rootkit
- Maintain persistent access
- Hide their activity using anti-forensic techniques
Researchers at Google’s Threat Intelligence Group believe the attacks are linked to ransomware operations and data extortion. Alarmingly, no one has yet figured out exactly how the attackers got initial shell access—pointing to a possible zero-day vulnerability.
Recommendation:
- Immediately remove or replace all unsupported SMA 100 series devices
- Patch to firmware version 10.2.1.15-81sv if still in support
- Rotate all admin passwords and disable old VPN tokens
Read Blog | ColorTokens Breaks the Scale with First-Ever Average Score of 5.0 in Key Features in GigaOm Microsegmentation Radar
4. Fortinet FortiWeb Under Active Exploitation via CVE-2025-25257
Fortinet’s FortiWeb WAF devices are being actively exploited via a newly patched vulnerability—CVE-2025-25257, a pre-auth SQL injection RCE flaw.
Here’s the timeline:
- Fortinet released patches on July 8
- Public exploits were shared on July 11
- By July 14, over 85 FortiWeb devices were infected with web shells
The exploitation chain involves sending crafted HTTP requests that drop a malicious .pth file into Python’s site-packages, then invoking it via a CGI script to achieve full remote code execution.
If you’re running any version of FortiWeb between 7.0.0 and 7.6.3, consider your system at risk. The attacks are widespread, with most victims located in the U.S.
Recommendation:
- Upgrade to FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 immediately
- Disable HTTP/HTTPS admin interfaces if patching is not feasible in the short term
5. eSIM Vulnerability Could Expose Billions of IoT Devices
And now for a more futuristic-sounding threat—eSIM vulnerabilities in Kigen’s eUICC cards, which could impact billions of IoT devices globally.
Discovered by Security Explorations, this flaw allows attackers to install malicious applets on eSIMs, steal mobile operator credentials, and potentially deploy backdoors for spying. The root cause lies in an outdated GSMA TS.48 test profile, which was never meant for production use.
Although the attack requires physical access and some specific conditions, the implications are massive—especially for critical IoT infrastructure.
Recommendation:
- Ensure your eUICC modules are patched and no longer use TS.48 v6.0 or earlier
- Prevent unauthorized physical access to devices
- Move away from SIM-only authentication for critical services
The Breach Readiness Mindset
From hospitals to firewalls, from Microsoft Office to IoT cards, July’s threat landscape reminded us of one thing: your weakest link is the one you forgot to patch, retire, or monitor.
But there’s a silver lining. Every one of these incidents came with a lesson—most of which were preventable or mitigable with the right controls.
So what can you do?
- Stay updated with vendor advisories and CVEs.
- Retire unsupported devices. Now.
- Rotate credentials frequently and automate where possible.
- Shift your mindset from “breach prevention” to breach readiness. Assume compromise—and plan your response in advance.
Security isn’t static. Neither are the threats. Stay informed. And most importantly, stay breach ready.
For more threat intelligence like this or to get help building a breach-ready cybersecurity strategy, write to us at [email protected] or contact us at https://colortokens.com/contact-us/
