Broadcom
Company Details
Linkedin ID:
broadcom
Website:
Employees number:
53,946
Number of followers:
589,166
NAICS:
3344
Industry Type:
Homepage:
broadcom.com
IP Addresses:
367
Company ID:
BRO_3083730
Scan Status:
Completed
Broadcom Company CyberSecurity Posture
broadcom.com
A global infrastructure technology leader built on more than 60 years of innovation, collaboration and engineering excellence.
Broadcom A.I CyberSecurity Scoring
Broadcom Risk Score (AI oriented)Between 750 and 799
Broadcom
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Broadcom Global Score (TPRM)XXXX
Broadcom
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Broadcom Company CyberSecurity News & History
Past Incidents
6
Attack Types
3
Broadcom
Ransomware
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A ransomware attack targeted **Business Systems House (BSH)**, a Middle Eastern payroll partner of **ADP**, in **September 2024**, leading to the theft of **Broadcom’s employee data**. The compromised data was leaked online in **December 2024**, but Broadcom was not notified until **May 2025**—an eight-month delay. The **El Dorado ransomware group** claimed responsibility, exploiting Broadcom’s ongoing transition between payroll providers. The breach exposed sensitive employee information, including personal and financial details, while Broadcom was still dependent on ADP and BSH for payroll processing. The incident underscores critical vulnerabilities in **third-party supply chain security**, particularly during vendor transitions, and highlights the prolonged risks of undetected data exfiltration in ransomware attacks. The delayed disclosure further exacerbated reputational and operational risks for Broadcom, a global semiconductor and infrastructure software leader.
Broadcom
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of **Cl0p’s ransomware attack** exploiting a **zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884)**. The cybercriminal group **exfiltrated sensitive corporate and customer data**, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking **financial records, proprietary business data, and third-party customer information**. Cl0p’s extortion tactics included warnings of **public disclosure on their blog, torrent leaks, or sales to malicious actors**, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed **supply chain cascading risks**, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including **data theft, potential regulatory fines, and erosion of stakeholder trust**—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing **long-term financial and strategic repercussions** if the stolen data is weaponized.
Broadcom
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The **Cl0p ransomware gang** breached **Broadcom**, a $300+ billion semiconductor and infrastructure software leader, by exploiting an **unpatched zero-day vulnerability in Oracle E-Business Suite**. This ERP platform manages critical operations, including **supply chain, financial systems, and customer data**, making it a high-value target. The attackers likely **exfiltrated sensitive corporate data** (potentially including **intellectual property, manufacturing secrets, and customer information**) before deploying ransomware, following Cl0p’s typical double-extortion tactic. The breach risks **operational disruptions in global manufacturing**, **regulatory penalties for data exposure**, and **reputational damage** due to the involvement of a notorious ransomware group. The use of a **zero-day exploit** amplifies the threat, as other organizations using Oracle E-Business Suite may face similar attacks until a patch is released. Broadcom has not confirmed the incident, but the alleged compromise aligns with Cl0p’s pattern of targeting **high-value enterprises** via unpatched vulnerabilities in widely used software.
Broadcom (VMware)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Broadcom patched a **high-severity privilege escalation vulnerability (CVE-2025-41244)** in **VMware Aria Operations** and **VMware Tools**, actively exploited since **October 2024** by **UNC5174**, a **Chinese state-sponsored threat actor** linked to China’s Ministry of State Security (MSS). The flaw allows an **unprivileged local attacker** to escalate privileges to **root-level code execution** by staging a malicious binary in paths like `/tmp/httpd` and exploiting VMware’s service discovery mechanism. UNC5174, known for selling network access to **U.S. defense contractors, UK government entities, and Asian institutions**, previously exploited **CVE-2023-46747 (F5 BIG-IP)**, **CVE-2024-1709 (ConnectWise ScreenConnect)**, and **CVE-2025-31324 (SAP NetWeaver)**.The vulnerability poses a **critical risk** as it enables **full system compromise**, potentially allowing attackers to **move laterally across networks**, **steal sensitive data**, or **deploy additional malware**. While no **direct data breach or ransomware** was confirmed in this case, the exploitation by a **state-backed APT group** suggests **espionage or pre-positioning for future attacks**. Broadcom also patched **two other high-severity VMware NSX flaws** reported by the **NSA**, indicating a broader pattern of **targeted cyber operations** against enterprise infrastructure.
Symantec
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Security firm Symantec was attacked by a hacker back in February 2021 in which the hackers extracted some of the data. This comprises not only passwords but a list of Symantec clients -- including government agencies. The hacker was able to access a list of clients using Symantec's CloudSOC services, account managers and account numbers.
Symantec
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
Broadcom Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Broadcom
Incidents vs Semiconductor Manufacturing Industry Average (This Year)
Broadcom has 124.72% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Broadcom has 159.74% more incidents than the average of all companies with at least one recorded incident.
Incident Types Broadcom vs Semiconductor Manufacturing Industry Avg (This Year)
Broadcom reported 2 incidents this year: 0 cyber attacks, 2 ransomware, 0 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Broadcom (X = Date, Y = Severity)
Broadcom cyber incidents detection timeline including parent company and subsidiaries
Broadcom Company Subsidiaries
A global infrastructure technology leader built on more than 60 years of innovation, collaboration and engineering excellence.
Loading...
Broadcom Similar Companies
onsemi (Nasdaq: ON) is driving disruptive innovations to help build a better future. With a focus on automotive and industrial end-markets, the company is accelerating change in megatrends such as vehicle electrification and safety, sustainable energy grids, industrial automation, and 5G and cloud i
TSMC
Established in 1987, TSMC is the world's first dedicated semiconductor foundry. As the founder and a leader of the Dedicated IC Foundry segment, TSMC has built its reputation by offering advanced and "More-than-Moore" wafer production processes and unparalleled manufacturing efficiency. From its in
Analog Devices, Inc. (NASDAQ: ADI) is a global semiconductor leader that bridges the physical and digital worlds to enable breakthroughs at the Intelligent Edge. ADI combines analog, digital, and software technologies into solutions that help drive advancements in digitized factories, mobility, and
Renesas is an embedded semiconductor solution provider driven by its Purpose ‘To Make Our Lives Easier.’ As the industry’s leading expert in embedded processing with unmatched quality and system-level know-how, we have evolved to provide scalable and comprehensive semiconductor solutions for automot
Semiconductors are crucial to solve the energy challenges of our time and shape the digital transformation. This is why Infineon is committed to actively driving decarbonization and digitalization. As a global semiconductor leader in power systems and IoT, we enable game-changing solutions for green
STMicroelectronics
ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life. ST’s products are found everywhere today, and together with our customers, we are enabling smarter driving and smarter factories, cities an
MediaTek
MediaTek Incorporated (TWSE: 2454) is a global fabless semiconductor company that enables nearly 2 billion connected devices a year. We are a market leader in developing innovative systems-on-chip (SoC) for mobile, home entertainment, connectivity and IoT products. Our dedication to innovation has p
ASML
Who are we? ASML is an innovation leader in the global semiconductor industry. We make machines that chipmakers use to mass produce microchips. Founded in 1984 in the Netherlands with just a handful of employees, we’ve now grown to over 40,000 employees, 143 nationalities and more than 60 locations
GlobalFoundries (GF) is one of the world’s leading semiconductor manufacturers. GF is redefining innovation and semiconductor manufacturing by developing and delivering feature-rich process technology solutions that provide leadership performance in pervasive high growth markets. GF offers a unique
.png)
Broadcom CyberSecurity News
November 24, 2025 03:59 PM
🎙️SECURITY.COM The Podcast: Chasing Vulns with Jerry Gamblin
The saga of the SECURITY.COM domain, bug bounty platforms, and the software that everyone's afraid to touch.
November 21, 2025 08:40 AM
Clop Ransomware Claims Broadcom Breach Through E-Business Suite 0-Day
The notorious Cl0p ransomware gang has publicly claimed responsibility for breaching Broadcom, a leading semiconductor and infrastructure...
November 21, 2025 08:00 AM
Broadcom Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack
A ransomware group says it hacked Broadcom's internal systems using Oracle E-Business Suite flaws they are currently attacking.
November 21, 2025 08:00 AM
Broadcom (AVGO) Stock Today: Quantum‑Safe Breakthrough, Ransomware Claim and AI Momentum – November 21, 2025
Broadcom (NASDAQ: AVGO) finds itself at the center of multiple storylines today: a world‑first quantum‑safe data‑center networking launch,...
November 10, 2025 08:35 PM
How I Found My Calling in Mainframe Cybersecurity
Read to see how Adia Sakura-Lemessy leaned into her cybersecurity interests, discovered the world of mainframe—and launched a rewarding...
November 04, 2025 08:00 AM
Open-source VMware deserters in zombie software risk
A large number of VMware users who have opted for an open-source alternative may be operating on outdated software.
October 31, 2025 07:00 AM
CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware...
October 01, 2025 07:00 AM
Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
A newly patched VMware vulnerability has been exploited as a zero-day by Chinese hackers since October 2024.
October 01, 2025 07:00 AM
Broadcom Patches VMware Zero-Day Exploited by Chinese Hackers Since 2024
In a move that has raised eyebrows among cybersecurity experts, Broadcom Inc. recently patched a high-severity vulnerability in its VMware...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Broadcom CyberSecurity History Information
Official Website of Broadcom
The official website of Broadcom is http://www.broadcom.com.
Broadcom’s AI-Generated Cybersecurity Score
According to Rankiteo, Broadcom’s AI-generated cybersecurity score is 753, reflecting their Fair security posture.
How many security badges does Broadcom’ have ?
According to Rankiteo, Broadcom currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Broadcom have SOC 2 Type 1 certification ?
According to Rankiteo, Broadcom is not certified under SOC 2 Type 1.
Does Broadcom have SOC 2 Type 2 certification ?
According to Rankiteo, Broadcom does not hold a SOC 2 Type 2 certification.
Does Broadcom comply with GDPR ?
According to Rankiteo, Broadcom is not listed as GDPR compliant.
Does Broadcom have PCI DSS certification ?
According to Rankiteo, Broadcom does not currently maintain PCI DSS compliance.
Does Broadcom comply with HIPAA ?
According to Rankiteo, Broadcom is not compliant with HIPAA regulations.
Does Broadcom have ISO 27001 certification ?
According to Rankiteo,Broadcom is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Broadcom
Broadcom operates primarily in the Semiconductor Manufacturing industry.
Number of Employees at Broadcom
Broadcom employs approximately 53,946 people worldwide.
Subsidiaries Owned by Broadcom
Broadcom presently has no subsidiaries across any sectors.
Broadcom’s LinkedIn Followers
Broadcom’s official LinkedIn profile has approximately 589,166 followers.
NAICS Classification of Broadcom
Broadcom is classified under the NAICS code 3344, which corresponds to Semiconductor and Other Electronic Component Manufacturing.
Broadcom’s Presence on Crunchbase
No, Broadcom does not have a profile on Crunchbase.
Broadcom’s Presence on LinkedIn
Yes, Broadcom maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/broadcom.
Cybersecurity Incidents Involving Broadcom
As of December 11, 2025, Rankiteo reports that Broadcom has experienced 6 cybersecurity incidents.
Number of Peer and Competitor Companies
Broadcom has an estimated 1,267 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Broadcom ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach and Ransomware.
How does Broadcom detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (broadcom patch release), and third party assistance with nviso (vulnerability reporting and poc), third party assistance with google mandiant (threat actor analysis), and containment measures with patch release for cve-2025-41244, containment measures with previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), containment measures with nsx vulnerabilities patched (november 2024), and network segmentation with recommended for organizations using oracle e-business suite, and enhanced monitoring with recommended: review security logs for unauthorized access, deploy edr solutions, and and third party assistance with mandiant (google-owned cybersecurity firm), and containment measures with oracle security patches (cve-2025-61882, cve-2025-21884), and remediation measures with patch application for oracle ebs vulnerabilities, and communication strategy with oracle security alerts to customers, communication strategy with public disclosure via media..
Incident Details
Can you provide details on each incident ?
Title: Symantec Data Breach
Description: Security firm Symantec was attacked by a hacker in February 2021, resulting in the extraction of data including passwords and a list of Symantec clients, including government agencies.
Date Detected: 2021-02-01
Type: Data Breach
Title: Symantec and Norton Vulnerabilities Identified by Tavis Ormandy
Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
Type: Vulnerability Exploit
Attack Vector: Executable File
Vulnerability Exploited: File Decompression in Kernel
Motivation: Data Theft
Title: Broadcom Patches High-Severity VMware Aria Operations and VMware Tools Privilege Escalation Vulnerability (CVE-2025-41244) Exploited by UNC5174
Description: Broadcom has patched a high-severity privilege escalation vulnerability (CVE-2025-41244) in its VMware Aria Operations and VMware Tools software, exploited in zero-day attacks since October 2024. The vulnerability allows unprivileged local attackers to escalate privileges to root-level code execution by staging a malicious binary in broadly-matched regex paths (e.g., /tmp/httpd). The attacks have been linked to the Chinese state-sponsored threat actor UNC5174, a contractor for China's Ministry of State Security (MSS). NVISO released a proof-of-concept exploit demonstrating the flaw's exploitation.
Date Detected: 2024-05-01
Date Publicly Disclosed: 2024-11-05
Type: Privilege Escalation
Attack Vector: LocalMalicious Binary StagingService Discovery Abuse
Vulnerability Exploited: CVE-2025-41244 (VMware Aria Operations and VMware Tools Privilege Escalation)
Threat Actor: UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS)
Motivation: EspionageFinancial Gain (selling network access)Cyber Warfare
Title: Ransomware Attack on Business Systems House (BSH) Leading to Broadcom Employee Data Theft
Description: A ransomware attack on Business Systems House (BSH), a Middle Eastern partner of payroll provider ADP, resulted in the theft of Broadcom employee data in September 2024. The data was leaked online in December 2024, but Broadcom was not informed until May 2025. The El Dorado ransomware group claimed responsibility. The breach occurred during Broadcom's transition away from ADP and BSH as payroll providers.
Date Detected: 2024-09
Date Publicly Disclosed: 2025-05
Type: ransomware
Attack Vector: third-party vendor (BSH, a regional partner of ADP)
Threat Actor: El Dorado ransomware group
Motivation: financial gaindata theft
Title: Cl0p Ransomware Gang Claims Breach of Broadcom via Zero-Day in Oracle E-Business Suite
Description: The Cl0p ransomware gang has publicly claimed responsibility for breaching Broadcom, a leading semiconductor and infrastructure software company. The attackers allegedly exploited an unpatched zero-day vulnerability in Oracle E-Business Suite to gain initial access. The incident follows a pattern of Cl0p targeting high-value enterprise systems using zero-day and known vulnerabilities. Broadcom has not issued an official statement, and the claim remains unverified by independent security researchers. The vulnerability allows arbitrary code execution, persistent access, and lateral movement across corporate networks. Cl0p is known for combining zero-day exploitation with credential theft and data exfiltration before deploying ransomware.
Type: ransomware
Attack Vector: zero-day vulnerability in Oracle E-Business Suitearbitrary code executionlateral movementcredential theftdata exfiltration
Vulnerability Exploited: Unpatched zero-day vulnerability in Oracle E-Business Suite (arbitrary code execution)
Threat Actor: Cl0p ransomware gang
Motivation: financial gain (ransomware)data theft for extortiondisruption of high-value enterprise targets
Title: Cl0p Exploits Zero-Day Vulnerabilities in Oracle E-Business Suite Leading to Massive Data Breaches
Description: The cybercriminal group Cl0p exploited two zero-day vulnerabilities (CVE-2025-61882 and CVE-2025-21884) in Oracle’s E-Business Suite (EBS), leading to data breaches in over 100 companies, including Broadcom, Estée Lauder, Mazda, and Canon. The group demanded significant ransom payments, threatening to leak or sell exfiltrated data if unpaid. Oracle issued security patches, but the attacks had already compromised sensitive corporate and customer data across multiple industries and geographies.
Date Detected: 2023-09-01
Date Publicly Disclosed: 2023-11-20
Type: Ransomware
Attack Vector: Zero-Day Exploit (CVE-2025-61882, CVE-2025-21884)Unauthenticated HTTP RequestsData Exfiltration
Threat Actor: Cl0p (Clop)
Motivation: Financial Gain (Ransomware Extortion)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Executable File, Exploitation of CVE-2025-41244 (privilege escalation via /tmp/httpd)Previous exploits: CVE-2023-46747 (F5 BIG-IP), CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2025-31324 (NetWeaver Visual Composer), unpatched zero-day vulnerability in Oracle E-Business Suite, Zero-day vulnerabilities in Oracle EBS (CVE-2025-61882 and CVE-2025-21884).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach SYM1336271222
Data Compromised: Passwords, List of symantec clients, Government agencies, List of clients using symantec's cloudsoc services, Account managers, Account numbers
Incident : Vulnerability Exploit SYM44121823
Systems Affected: Symantec Enterprise Products
Incident : Privilege Escalation BRO4592445093025
Systems Affected: VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode)
Operational Impact: Potential root-level code execution on vulnerable VMs, leading to full system compromise
Brand Reputation Impact: High (zero-day exploitation by state-sponsored actor, multiple high-profile vulnerabilities in 2024)
Incident : ransomware BRO3362533111725
Data Compromised: Broadcom employee data
Brand Reputation Impact: negative (ripples through tech and cybersecurity community)
Identity Theft Risk: potential (employee data exposed)
Incident : ransomware BRO0893008112125
Systems Affected: Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data
Operational Impact: potential disruption of manufacturing operationssupply chain interruptionsglobal infrastructure risks
Brand Reputation Impact: high (targeting a $300B+ company)potential loss of trust in supply chain security
Legal Liabilities: potential regulatory compliance violations (e.g., data protection laws)
Incident : Ransomware BRO3105131112625
Systems Affected: Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14
Operational Impact: Significant (data exfiltration, potential system compromise)
Brand Reputation Impact: High (public disclosure of breaches, ransom demands)
Identity Theft Risk: High (PII and sensitive corporate data exfiltrated)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Passwords, List Of Symantec Clients, Government Agencies, List Of Clients Using Symantec'S Cloudsoc Services, Account Managers, Account Numbers, , Employee Data, , Potential: Corporate Data (Supply Chain, Financial, Customer), Intellectual Property (Research Data), , Corporate Data, Customer Data, Sensitive Business Information and .
Which entities were affected by each incident ?
Incident : Data Breach SYM1336271222
Entity Name: Symantec
Entity Type: Security Firm
Industry: Cybersecurity
Incident : Vulnerability Exploit SYM44121823
Entity Name: Symantec
Entity Type: Company
Industry: Cybersecurity
Incident : Privilege Escalation BRO4592445093025
Entity Name: Broadcom (VMware)
Entity Type: Technology Corporation
Industry: Software/Cloud Infrastructure
Location: United States (Global Operations)
Size: Large Enterprise
Incident : Privilege Escalation BRO4592445093025
Entity Name: U.S. Defense Contractors (via UNC5174 access sales)
Entity Type: Private/Government Contractors
Industry: Defense
Location: United States
Incident : Privilege Escalation BRO4592445093025
Entity Name: UK Government Entities (via UNC5174 access sales)
Entity Type: Government
Industry: Public Sector
Location: United Kingdom
Incident : Privilege Escalation BRO4592445093025
Entity Name: Asian Institutions (via UNC5174 access sales)
Entity Type: Government/Private
Industry: Multiple Sectors
Location: Asia
Incident : Privilege Escalation BRO4592445093025
Entity Name: U.S. and Canadian Institutions (via CVE-2024-1709 exploitation)
Entity Type: Multiple
Industry: Multiple Sectors
Location: United States, Canada
Customers Affected: Hundreds (per February 2024 attacks)
Incident : ransomware BRO3362533111725
Entity Name: Broadcom Inc.
Entity Type: multinational corporation
Industry: semiconductor, infrastructure software
Location: global (HQ in San Jose, California, USA)
Incident : ransomware BRO3362533111725
Entity Name: Business Systems House (BSH)
Entity Type: regional payroll service provider
Industry: payroll services
Location: Middle East
Customers Affected: Broadcom employees (data compromised)
Incident : ransomware BRO3362533111725
Entity Name: ADP (Automatic Data Processing)
Entity Type: payroll services giant
Industry: HR and payroll services
Location: global (HQ in Roseland, New Jersey, USA)
Incident : ransomware BRO0893008112125
Entity Name: Broadcom Inc.
Entity Type: public company
Industry: semiconductor manufacturing, infrastructure software
Location: global (HQ: San Jose, California, USA)
Size: $300+ billion market cap
Incident : Ransomware BRO3105131112625
Entity Name: Oracle
Entity Type: Corporation
Industry: Technology (Enterprise Software)
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Broadcom
Entity Type: Corporation
Industry: Semiconductors/Technology
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Estée Lauder Companies
Entity Type: Corporation
Industry: Cosmetics/Retail
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Mazda
Entity Type: Corporation
Industry: Automotive
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Canon
Entity Type: Corporation
Industry: Technology/Imaging
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Michelin
Entity Type: Corporation
Industry: Automotive/Tires
Location: France
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Humana
Entity Type: Corporation
Industry: Healthcare/Insurance
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Fruit of the Loom
Entity Type: Corporation
Industry: Apparel
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Abbott Laboratories
Entity Type: Corporation
Industry: Healthcare/Pharmaceuticals
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Grupo Bimbo
Entity Type: Corporation
Industry: Food/Baking
Location: Mexico
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: A10 Networks
Entity Type: Corporation
Industry: Technology/Networking
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Envoy
Entity Type: Corporation
Industry: Technology/Workplace Solutions
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Greater Cleveland RTA
Entity Type: Government Agency
Industry: Transportation
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Frontrol
Entity Type: Corporation
Industry: Technology/Security
Incident : Ransomware BRO3105131112625
Entity Name: MAS Holdings
Entity Type: Corporation
Industry: Apparel/Manufacturing
Location: Sri Lanka
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Trane Technologies
Entity Type: Corporation
Industry: HVAC/Manufacturing
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Treet Corp
Entity Type: Corporation
Industry: Manufacturing
Incident : Ransomware BRO3105131112625
Entity Name: University of Phoenix
Entity Type: Educational Institution
Industry: Education
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: L&L Products
Entity Type: Corporation
Industry: Automotive/Manufacturing
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Worley
Entity Type: Corporation
Industry: Engineering/Consulting
Location: Australia
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Fleet Management Limited
Entity Type: Corporation
Industry: Logistics/Transportation
Incident : Ransomware BRO3105131112625
Entity Name: Alshaya Group
Entity Type: Corporation
Industry: Retail/Hospitality
Location: Kuwait
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Bechtel Corporation
Entity Type: Corporation
Industry: Construction/Engineering
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: WellBiz Brands, Inc.
Entity Type: Corporation
Industry: Retail/Wellness
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Dooney & Bourke
Entity Type: Corporation
Industry: Luxury Accessories
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Greenball
Entity Type: Corporation
Industry: Manufacturing
Incident : Ransomware BRO3105131112625
Entity Name: Sumitomo Chemical
Entity Type: Corporation
Industry: Chemicals
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Aljomaih Automotive Company (AAC)
Entity Type: Corporation
Industry: Automotive
Location: Saudi Arabia
Size: Large
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Privilege Escalation BRO4592445093025
Incident Response Plan Activated: Yes (Broadcom patch release)
Third Party Assistance: Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis).
Containment Measures: Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024)
Incident : ransomware BRO0893008112125
Network Segmentation: ['recommended for organizations using Oracle E-Business Suite']
Enhanced Monitoring: recommended: review security logs for unauthorized access, deploy EDR solutions
Incident : Ransomware BRO3105131112625
Incident Response Plan Activated: True
Third Party Assistance: Mandiant (Google-Owned Cybersecurity Firm).
Containment Measures: Oracle security patches (CVE-2025-61882, CVE-2025-21884)
Remediation Measures: Patch application for Oracle EBS vulnerabilities
Communication Strategy: Oracle security alerts to customersPublic disclosure via media
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Broadcom patch release), .
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through NVISO (vulnerability reporting and PoC), Google Mandiant (threat actor analysis), , Mandiant (Google-owned cybersecurity firm), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SYM1336271222
Type of Data Compromised: Passwords, List of symantec clients, Government agencies, List of clients using symantec's cloudsoc services, Account managers, Account numbers
Incident : ransomware BRO3362533111725
Type of Data Compromised: Employee data
Sensitivity of Data: high (employee records)
Data Exfiltration: yes (leaked online in December 2024)
Personally Identifiable Information: likely (employee data)
Incident : ransomware BRO0893008112125
Type of Data Compromised: Potential: corporate data (supply chain, financial, customer), Intellectual property (research data)
Sensitivity of Data: high (enterprise resource planning data)potentially confidential (manufacturing, R&D)
Data Exfiltration: claimed by Cl0p (typical tactic before ransomware deployment)
Incident : Ransomware BRO3105131112625
Type of Data Compromised: Corporate data, Customer data, Sensitive business information
Sensitivity of Data: High
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patch application for Oracle EBS vulnerabilities, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by patch release for cve-2025-41244, previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), nsx vulnerabilities patched (november 2024), , oracle security patches (cve-2025-61882, cve-2025-21884) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : ransomware BRO0893008112125
Ransomware Strain: Cl0p
Data Encryption: ['likely (standard Cl0p tactic post-exfiltration)']
Data Exfiltration: ['claimed (pre-ransomware deployment)']
Incident : Ransomware BRO3105131112625
Ransom Demanded: True
Ransomware Strain: Cl0p (Clop)
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Privilege Escalation BRO4592445093025
Lessons Learned: 1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.
Incident : ransomware BRO0893008112125
Lessons Learned: Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time., High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact., Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks., Supply chain and ERP systems are attractive targets due to their central role in business operations.
Incident : Ransomware BRO3105131112625
Lessons Learned: Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
What recommendations were made to prevent future incidents ?
Incident : Privilege Escalation BRO4592445093025
Recommendations: Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.
Incident : ransomware BRO0893008112125
Recommendations: Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.
Incident : Ransomware BRO3105131112625
Recommendations: Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are 1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time.,High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact.,Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks.,Supply chain and ERP systems are attractive targets due to their central role in business operations.Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
References
Where can I find more information about each incident ?
Incident : Privilege Escalation BRO4592445093025
Source: NVISO Research (Maxime Thiebaut)
Date Accessed: 2024-11-04
Incident : Privilege Escalation BRO4592445093025
Source: Google Mandiant (UNC5174 Analysis)
Incident : Privilege Escalation BRO4592445093025
Source: Broadcom Security Advisory for CVE-2025-41244
Date Accessed: 2024-11-05
Incident : Privilege Escalation BRO4592445093025
Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024)
Incident : ransomware BRO3362533111725
Source: The Register
Incident : ransomware BRO0893008112125
Source: GBHackers (GBH)
Incident : Ransomware BRO3105131112625
Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Incident : Ransomware BRO3105131112625
Source: UK National Cyber Security Centre (NCSC)
Incident : Ransomware BRO3105131112625
Source: Mandiant (Google-owned cybersecurity firm)
Incident : Ransomware BRO3105131112625
Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884)
Incident : Ransomware BRO3105131112625
Source: Z2Data Supplier Risk Analysis
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: BleepingComputerDate Accessed: 2024-11-05, and Source: NVISO Research (Maxime Thiebaut)Date Accessed: 2024-11-04, and Source: Google Mandiant (UNC5174 Analysis), and Source: Broadcom Security Advisory for CVE-2025-41244Date Accessed: 2024-11-05, and Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024), and Source: The Register, and Source: GBHackers (GBH), and Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Source: UK National Cyber Security Centre (NCSC), and Source: Mandiant (Google-owned cybersecurity firm), and Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), and Source: Z2Data Supplier Risk AnalysisUrl: https://www.z2data.com.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Privilege Escalation BRO4592445093025
Investigation Status: Ongoing (patch released; threat actor activity under monitoring)
Incident : ransomware BRO3362533111725
Investigation Status: disclosed (May 2025)
Incident : ransomware BRO0893008112125
Investigation Status: unverified (claimed by Cl0p, no official statement from Broadcom; independent verification pending)
Incident : Ransomware BRO3105131112625
Investigation Status: Ongoing (Cl0p’s data leak timeline suggests delayed public exposure)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Oracle Security Alerts To Customers and Public Disclosure Via Media.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Privilege Escalation BRO4592445093025
Customer Advisories: Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article.
Incident : Ransomware BRO3105131112625
Stakeholder Advisories: Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi.
Customer Advisories: Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article., Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi, Companies Advised To Monitor For Data Leaks On Cl0P’S Blog Or Dark Web Marketplaces and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Vulnerability Exploit SYM44121823
Entry Point: Executable File
Incident : Privilege Escalation BRO4592445093025
Entry Point: Exploitation Of Cve-2025-41244 (Privilege Escalation Via /Tmp/Httpd), Previous Exploits: Cve-2023-46747 (F5 Big-Ip), Cve-2024-1709 (Connectwise Screenconnect), Cve-2025-31324 (Netweaver Visual Composer),
Backdoors Established: Likely (based on UNC5174's history of selling network access)
High Value Targets: U.S. Defense Contractors, Uk Government Entities, Asian Institutions, Critical Infrastructure (Uk/Us Via Sap Netweaver Attacks),
Data Sold on Dark Web: U.S. Defense Contractors, Uk Government Entities, Asian Institutions, Critical Infrastructure (Uk/Us Via Sap Netweaver Attacks),
Incident : ransomware BRO3362533111725
High Value Targets: Broadcom Employee Data,
Data Sold on Dark Web: Broadcom Employee Data,
Incident : ransomware BRO0893008112125
Entry Point: unpatched zero-day vulnerability in Oracle E-Business Suite
Backdoors Established: ['likely (Cl0p tactic for persistence)']
High Value Targets: Broadcom'S Manufacturing Operations, Research Data, Customer Information, Supply Chain Systems,
Data Sold on Dark Web: Broadcom'S Manufacturing Operations, Research Data, Customer Information, Supply Chain Systems,
Incident : Ransomware BRO3105131112625
Entry Point: Zero-Day Vulnerabilities In Oracle Ebs (Cve-2025-61882, Cve-2025-21884),
Reconnaissance Period: Since late September 2023 (pre-exploitation activity)
High Value Targets: Fortune 500 Companies (E.G., Broadcom, Estée Lauder), Multinational Corporations With Oracle Ebs Dependencies,
Data Sold on Dark Web: Fortune 500 Companies (E.G., Broadcom, Estée Lauder), Multinational Corporations With Oracle Ebs Dependencies,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Privilege Escalation BRO4592445093025
Root Causes: Privilege Escalation Vulnerability In Vmware Service Discovery Mechanism (Broad Regex Path Matching)., Insufficient Validation Of Unprivileged User Processes Opening Listening Sockets., Delayed Public Disclosure Of In-The-Wild Exploitation (Attacks Began In October 2024; Patch/Report In November 2024)., Reuse Of Exploit Techniques Across Multiple Vulnerabilities (E.G., Cve-2023-46747, Cve-2024-1709) By Unc5174.,
Corrective Actions: Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software.,
Incident : ransomware BRO3362533111725
Root Causes: Third-Party Vendor Vulnerability (Bsh), Supply Chain Risk During Transition Period,
Incident : ransomware BRO0893008112125
Root Causes: Use Of Unpatched Enterprise Software (Oracle E-Business Suite) With Zero-Day Vulnerability., Potential Lack Of Network Segmentation Allowing Lateral Movement., Targeting By A Sophisticated Threat Actor (Cl0P) With A History Of Exploiting Zero-Days.,
Incident : Ransomware BRO3105131112625
Root Causes: Unpatched Zero-Day Vulnerabilities In Oracle Ebs (Cve-2025-61882, Cve-2025-21884)., Lack Of Real-Time Monitoring For Unauthenticated Http Requests Targeting Critical Components (Bi Publisher, Configurator Ui)., Supplier Risk Blind Spots In Enterprise Software Supply Chains.,
Corrective Actions: Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis), , Recommended: Review Security Logs For Unauthorized Access, Deploy Edr Solutions, , Mandiant (Google-Owned Cybersecurity Firm), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software., , Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities., .
Additional Questions
General Information
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was True.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS), El Dorado ransomware group, Cl0p ransomware gang and Cl0p (Clop).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2021-02-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-11-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers, account numbers, , Broadcom employee data, and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Symantec Enterprise Products and VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode) and Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data and Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was nviso (vulnerability reporting and poc), google mandiant (threat actor analysis), , mandiant (google-owned cybersecurity firm), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024), Oracle security patches (CVE-2025-61882 and CVE-2025-21884).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were account numbers, passwords, list of clients using Symantec's CloudSOC services, government agencies, list of Symantec clients, account managers and Broadcom employee data.
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was True.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Supply chain and ERP systems are attractive targets due to their central role in business operations., Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Implement network segmentation to limit lateral movement in case of breach., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Evaluate the need for network segmentation to limit lateral movement in case of breaches., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Apply security patches for Oracle E-Business Suite as soon as they are released., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Prepare incident response plans specifically for ransomware and zero-day scenarios., Conduct regular audits of enterprise software for zero-day vulnerabilities., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Deploy endpoint detection and response (EDR) solutions for early threat detection., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations. and Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Google Mandiant (UNC5174 Analysis), GBHackers (GBH), UK National Cyber Security Centre (NCSC), Z2Data Supplier Risk Analysis, NVISO Research (Maxime Thiebaut), The Register, Microsoft Threat Intelligence (VMware Zero-Days, March 2024), U.S. Cybersecurity and Infrastructure Security Agency (CISA), BleepingComputer, Mandiant (Google-owned cybersecurity firm), Broadcom Security Advisory for CVE-2025-41244, Oracle Security Alerts (CVE-2025-61882 and CVE-2025-21884).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.z2data.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (patch released; threat actor activity under monitoring).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Oracle security alerts urging immediate patching, Mandiant’s analysis of Cl0p’s modus operandi, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article. and Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Executable File and unpatched zero-day vulnerability in Oracle E-Business Suite.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Since late September 2023 (pre-exploitation activity).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Privilege escalation vulnerability in VMware service discovery mechanism (broad regex path matching).Insufficient validation of unprivileged user processes opening listening sockets.Delayed public disclosure of in-the-wild exploitation (attacks began in October 2024; patch/report in November 2024).Reuse of exploit techniques across multiple vulnerabilities (e.g., CVE-2023-46747, CVE-2024-1709) by UNC5174., third-party vendor vulnerability (BSH)supply chain risk during transition period, Use of unpatched enterprise software (Oracle E-Business Suite) with zero-day vulnerability.Potential lack of network segmentation allowing lateral movement.Targeting by a sophisticated threat actor (Cl0p) with a history of exploiting zero-days., Unpatched zero-day vulnerabilities in Oracle EBS (CVE-2025-61882, CVE-2025-21884).Lack of real-time monitoring for unauthenticated HTTP requests targeting critical components (BI Publisher, Configurator UI).Supplier risk blind spots in enterprise software supply chains..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Broadcom released patches for CVE-2025-41244 and related VMware NSX vulnerabilities.NVISO published PoC to aid detection and mitigation.Organizations advised to audit VMware environments for signs of exploitation (e.g., suspicious /tmp/httpd binaries).Enhanced monitoring for UNC5174 TTPs (tactics, techniques, procedures) across enterprise software., Immediate application of Oracle-provided security patches.Enhanced supplier risk assessments using SCRM platforms (e.g., Z2Data).Implementation of behavioral WAFs or anomaly detection for Oracle EBS environments.Review of third-party software dependencies for similar vulnerabilities..
.png)
Latest Global CVEs (Not Company-Specific)
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 9.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Description
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.
Risk Information
cvss3
Base: 8.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.
Risk Information
cvss3
Base: 5.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=broadcom' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
