Somewhere between a five-month investigation gap at a Minnesota hospital and 17 million vehicle records sitting on a contractor’s FTP server, a familiar story started taking shape again. Attackers didn’t need to be particularly sophisticated. They just needed time, a poorly segmented network, and a vendor nobody was watching closely enough.
The same gaps keep getting exploited in the same ways. Healthcare networks are still too flat. Vendor access is still too broad. And the distance between “we detected something suspicious” and “we confirmed what was actually taken” is still measured in months.
What follows is a breakdown of the most significant breaches, vulnerabilities, and attack patterns from the latest ColorTokens Threat Advisory, and what they mean for organizations trying to stay ahead of them.
The Vulnerabilities You Need to Patch Right Now
Four critical vulnerabilities made it onto the radar this cycle, and each one deserves immediate attention.
Cisco Integrated Management Controller (CVE-2026-20093) carries a CVSS score of 9.8 for good reason. An unauthenticated remote attacker can bypass authentication entirely by sending a crafted HTTP request, then alter passwords for any user on the system, including admin accounts. The flaw stems from incorrect handling of password change requests. With over 200 affected versions across Cisco Enterprise NFV Infrastructure Software, organizations running Cisco IMC should cross-reference the full advisory and patch without delay.
cPanel and WHM (CVE-2026-41940) is another 9.8. An authentication bypass in the login flow lets unauthenticated remote attackers gain unauthorized access to the control panel on any cPanel or WHM version after 11.40. WebPros has issued patches across cPanel, WHM, and WP Squared, check the vendor release notes to confirm your version coverage.
SAP Business Planning and Consolidation and SAP Business Warehouse (CVE-2026-27681) scores a 9.9. An authenticated user can execute crafted SQL statements to read, modify, and delete database data, with impact landing across confidentiality, integrity, and availability simultaneously. Affected versions span HANABPC 810, BPC4HANA 300, and SAP_BW versions 750 through 758 and 816. SAP’s patch day advisory and SAP Note 3719353 are the reference points here.
Adobe Acrobat Reader (CVE-2026-34621) rounds out the list at 8.6. A prototype pollution vulnerability in versions up to 26.001.21367 can lead to arbitrary code execution when a victim opens a malicious file. User interaction is required for exploitation, but that’s a low bar in environments where PDF files are opened routinely. Adobe’s APSB26-43 advisory covers the fix.
Healthcare Keeps Taking Hits
There’s a reason ransomware groups keep targeting hospitals. Patient records are among the most valuable data on the dark web. hey carry Social Security numbers, insurance information, financial account details, and medical histories all in one place. And healthcare networks, stretched thin across connected devices, legacy systems, and clinical workflows, give attackers plenty of room to move once they’re inside.
Cookeville Regional Medical Center in Tennessee confirmed that a 2025 ransomware attack exposed personal and health information for 337,917 individuals. The Rhysida ransomware group accessed the network between July 11 and July 14, 2025, exfiltrating 538 gigabytes of data. Rhysida listed Cookeville on its dark web leak site and has since published 70% of the stolen data, suggesting the remaining 30% found a buyer. The exposed data spans names, Social Security numbers, driver’s license numbers, financial account numbers, medical records, and health insurance information. Notification letters began going out in March 2026, after a file review completed on March 16 confirmed the full scope of affected individuals.
Across three separate but concurrent disclosures, Hospital Caribbean Medical Center in Puerto Rico, Murray County Medical Center in Minnesota, and Aligned Orthopedic Partners in Maryland each confirmed data breaches affecting patient and employee data. Hospital Caribbean Medical Center is listed on the HHS breach portal as affecting up to 92,000 individuals, with a group called The Gentlemen claiming responsibility and threatening to publish stolen data. Murray County Medical Center detected suspicious activity in August 2025 but didn’t confirm the breach until January 2026, a five-month gap that directly compressed the window for patient notification and regulatory response. Aligned Orthopedic Partners saw its email platform compromised over a month-long window, with the resulting data exposure including financial account numbers, mental health information, prescriptions, and medical records, among the broadest data categories confirmed across all three incidents.
What connects these breaches isn’t just ransomware. It’s the combination of long dwell times, email platforms carrying sensitive clinical data, and limited visibility into what’s moving laterally inside the network once an attacker gets in. This is a pattern that the HIMSS 2025 healthcare cybersecurity findings also flagged, the threat surface in healthcare isn’t shrinking, and most organizations are still managing it with tools that weren’t built for the environment they’re defending today.
Finance: Vendor Exposure and the Everest Threat
Two separate incidents this cycle put a sharp spotlight on third-party vendor risk in financial services, and both of them trace back to the same threat actor.
Nissan confirmed that a recent cyber incident involved a third-party vendor serving its dealerships in North America. The Everest ransomware gang claimed responsibility, asserting it stole 910 GB of data from GCSSD, an IT contractor that hosted and processed data on Nissan’s behalf. A review of the leaked materials identified over 17 million vehicle identification numbers, more than 4 million full names and street addresses, and over 2 million email addresses and phone numbers. The data included row-level dealership service and repair records, customer names, addresses, VINs, mileage, and pricing data. Nissan maintained that its own systems were not compromised and no Nissan customer information was directly put at risk, but for customers whose data was sitting on that vendor’s server, the distinction matters less than the outcome.
Citizens Financial Group and Frost Bank both appeared on Everest’s dark web extortion site on April 20, with a six-day deadline to pay before stolen data went public. The gang claimed approximately 250,000 records from Frost Bank, including Social Security numbers, tax identification numbers, mortgage interest rates, and income data. The Citizens Bank claim runs to approximately 3.4 million records, though the data samples appear to be primarily a SQL database dump without SSNs or TINs. Both banks confirmed the incident originated at a third-party vendor. Citizens characterized most of the affected data as masked test data with a limited set of actual customer information involved. Frost Bank engaged external cybersecurity experts and noted early findings suggest a connection to the Everest claims. Neither bank found evidence of unauthorized access to its own network.
The through-line in both cases, and in the Verizon 2025 DBIR analysis of third-party risk, is the same: vendors routinely hold, process, or transmit data that would require the same level of security scrutiny as internal systems, but rarely receive it.
OT Environments in the Crosshairs
A newly discovered malware called ZionSiphon, flagged by Darktrace, appears to have been designed specifically to target Israeli water treatment and desalination systems. First detected in the wild on June 29, 2025, the malware targets specific IPv4 ranges within Israel and activates only when both a geographic condition and an environment-specific condition related to water or desalination infrastructure are met.
Once launched, ZionSiphon probes devices on the local subnet, attempts protocol-specific communication using Modbus, DNP3, and S7comm, and modifies local configuration files by tampering with parameters tied to chlorine doses and pressure. It also propagates over removable media and triggers a self-destruct sequence on hosts that don’t meet its criteria. The current sample appears to be unfinished — the target-country checking function doesn’t execute correctly even when the IP falls within the specified ranges. But the architecture tells a clear story about where OT-targeted attacks are heading: multi-protocol manipulation, persistence within operational networks, and removable media propagation, all packed into a single payload built for a specific physical infrastructure.
As the IT-OT convergence article makes clear, industrial environments that rely on protocols like Modbus and DNP3 are increasingly in scope for nation-state actors, and the segmentation controls that would contain this kind of threat are still missing from most OT environments. A Zero Trust approach for OT and cyber-physical systems addresses exactly this gap, providing the visibility and containment layer that legacy industrial security architectures were never designed to deliver.
What Organizations Should Do
Across every sector in this report, a few mitigation priorities keep coming up.
- Patch the four critical CVEs immediately — Cisco IMC, cPanel/WHM, SAP BPC/BW, and Adobe Acrobat Reader all carry scores above 8.5, and patches are available. Cross-reference vendor advisories for your specific versions
- Deploy microsegmentation to contain lateral movement — when attackers get past the perimeter, segmentation determines how far they travel and how much they can reach. Microsegmentation enforces policy at the workload level, and can be deployed in weeks rather than years
- Restrict sensitive data from flowing through email — the Aligned Orthopedic Partners breach is a direct example of what happens when email carries the broadest categories of patient data without compensating controls
- Compress the gap between detection and confirmed compromise — the Murray County Medical Center timeline, five months from suspicious activity to confirmed breach, is a significant liability. Better forensic tooling and retained incident response relationships close that window
- Tighten third-party vendor access and data handling — both the Nissan incident and the Citizens/Frost Bank breaches originated at vendors, not inside the organizations themselves. Vendor risk management needs the same rigor applied to internal security posture
- Monitor ransomware leak sites proactively — Hospital Caribbean Medical Center appeared on The Gentlemen’s leak site nine days after its own press release. Catching a listing early creates time to assess and respond before public exposure compounds the damage
- Apply OT-specific controls for critical infrastructure — ZionSiphon’s use of Modbus, DNP3, and S7comm shows that OT protocol-level attacks are no longer theoretical. Network visibility, protocol anomaly detection, and strict IT-OT segmentation are foundational
Know Where You Stand Before the Next Incident Does
The breaches in this report didn’t happen because attackers were unusually clever. They happened because the conditions were right. A vendor with too much access, a network with too little segmentation, and a detection gap that stretched into months. Those the default state for most organizations that haven’t made breach readiness a deliberate, ongoing practice.
A Breach Readiness and Impact Assessment from ColorTokens is a good place to start finding out where the gaps actually are, across your hybrid, cloud, and OT environments, before someone else finds them for you.
Request your free Breach Readiness and Impact Assessment →
Have questions or want to talk through what this means for your environment? Contact our team.
