TL;DR: A healthcare breach, exploited Windows, Office and SharePoint vulnerabilities, a SonicWall SMA rootkit campaign, active FortiWeb exploitation, and eSIM flaws that could affect billions of IoT devices are tied together in ColorTokens’ July 2025 threat roundup. The common lesson is that exposed attack surface, stale access, and unsupported systems turn routine defects into broad operational risk.
NHIMG editorial — based on content published by ColorTokens: July 2025 Ransomware Attacks and Threat Roundup: All You Need to Know
By the numbers:
- By July 14, over 85 FortiWeb devices were infected with web shells.
Questions worth separating out
Q: What breaks when unsupported appliances are left in production?
A: Unsupported appliances keep trusted access paths alive after security fixes stop.
Q: When should organisations treat a patch delay as a security incident?
A: They should treat patch delay as an incident when the vulnerable service is internet-facing, privileged, or tied to remote administration.
Q: What do teams get wrong about ransomware readiness in hybrid environments?
A: Many teams focus on backup and restoration while underweighting identity revocation and segmentation.
Practitioner guidance
- Retire unsupported remote access appliances first Build a retirement list for devices that no longer receive vendor support and remove them from production before the next patch cycle becomes irrelevant.
- Prioritise emergency patching for pre-auth internet-facing flaws Give exposed services with no authentication barrier the fastest patch lane, then verify that patching actually reached every instance behind load balancers, clusters, and legacy management planes.
- Treat rootkit indicators as credential compromise events When stealth malware appears on appliances or servers, rotate admin passwords, revoke remote access tokens, and terminate active sessions before rebuilding trust in the platform.
What's in the full article
ColorTokens' full threat advisory covers the operational detail this post intentionally leaves for the source:
- Incident-by-incident remediation guidance for healthcare, Windows, appliance, and IoT exposures.
- Specific patch and upgrade recommendations for SonicWall, Fortinet, and Microsoft environments.
- Recommended containment actions for admin password rotation, token disabling, and unsupported device retirement.
- The article's own threat timeline and product-specific context for teams that need implementation detail.
👉 Read ColorTokens' July 2025 ransomware and threat roundup →
Ransomware roundup: what July 2025 means for patch and access controls?
Explore further
Unsupported infrastructure is an identity problem as much as a patching problem. The SonicWall case shows that devices can remain trusted long after they stop being supportable. Once admin credentials and remote access tokens continue to function on end-of-life hardware, the organisation has preserved a privileged identity surface that attackers can reuse. The lifecycle failure is the control gap, not only the vulnerability. Practitioners should treat retirement of unsupported systems as a core access governance task.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: How should security teams respond when rootkit activity appears on a trusted device?
A: They should assume the device is both compromised and observing credentials. The first containment step is to cut off remote administrative access, revoke active tokens, reset privileged accounts, and quarantine the asset before rebuilding trust. Rootkit activity is not a cleanup-only problem, because hidden persistence can survive simple remediation.
👉 Read our full editorial: July 2025 ransomware roundup shows patch gaps and credential risk