Weekly threat intelligence digest: July 14 - 20, 2025

Executive summary

This week tracked 2 curated intelligence items and 1 newly published CVEs. The risk profile remained acute, with 1 critical and 0 high severity disclosures in public reporting. Priority themes were vulnerability, campaign and active exploitation pressure around internet-exposed enterprise software.

Critical & high priority

1. Critical RCE in Fortinet FortiManager Exploited by Chinese APT Group

• What happened: Fortinet disclosed a critical unauthenticated remote code execution vulnerability in FortiManager that is under active exploitation. Mandiant attributed the exploitation campaign to a Chinese-nexus advanced persistent threat group tracked as UNC5221, which has been leveraging the vulnerability to gain control of FortiManager instances and subsequently push malicious configurations to managed FortiGate firewalls. The attackers used this centralized management access to establish persistent backdoor access across victim networks.
• Who's affected: Organizations using FortiManager for centralized Fortinet device management. Government agencies, defense contractors, and critical infrastructure operators are particularly targeted. The impact is amplified because compromising FortiManager gives the attacker the ability to control all managed FortiGate devices, potentially affecting network perimeters across an entire organization.
• What to do: Patch or mitigate affected systems on an expedited timeline, validate exposure from external attack paths, and add targeted detections for known exploitation behavior.

2. Massive Data Breach at US Health Insurance Provider Exposes 15 Million Records

• What happened: A major US health insurance provider disclosed a data breach that exposed the personal and medical information of approximately 15 million current and former members. The breach was attributed to a ransomware attack that occurred over a multi-week period before detection. Stolen data includes full names, dates of birth, Social Security numbers, medical record numbers, health plan information, claims data, and in some cases financial account details. The organization is offering two years of identity monitoring to affected individuals.
• Who's affected: Approximately 15 million individuals who hold or held health insurance policies with the affected provider. The exposure of medical and financial data creates elevated risk for medical identity fraud, insurance fraud, and targeted phishing attacks. Healthcare providers who submitted claims on behalf of these members may also have organizational data exposed.
• What to do: Hunt for related indicators, tighten identity controls, and validate incident response playbooks for lateral movement and data theft scenarios.

Notable developments

Most tracked items this week were critical/high vulnerability stories, with no major medium or informational shifts requiring separate strategic treatment.

Vulnerability landscape

This week saw 1 newly published CVEs in NVD-aligned tracking for the reporting window.

• Critical: 1
• High: 0
• Medium: 0
• Low: 0
• Top affected vendors: Fortinet (1)

Priority CVEs observed in this window included:

• CVE-2025-36012 (Critical): Vendor advisory lists a high-priority issue requiring review.

Recommended actions

1. Prioritize internet-facing patching: Resolve critical and high-severity items first, with strict SLA enforcement for edge systems.
2. Harden identity and admin pathways: Require phishing-resistant MFA, reduce standing privileges, and audit privileged sessions.
3. Operationalize detections: Convert this week's CVEs and campaign behaviors into SIEM/SOAR detections and threat hunts.
4. Protect recovery paths: Isolate and test backups, then validate restoration workflows against ransomware and destructive attack scenarios.

Looking ahead

For July 21 - 27, 2025, expect continued exploitation attempts against newly disclosed enterprise software flaws, plus copycat scanning after proof-of-concept publication. Teams should maintain elevated monitoring for externally exposed assets and review compensating controls where patch windows are delayed.