High-Severity Symantec DLP Agent Flaw Grants SYSTEM Privileges to Attackers A critical local privilege escalation (LPE) vulnerability in the Symantec Data Loss Prevention (DLP) Agent for Windows (CVE-2026-3991, CVSS 7.8) allows low-privileged attackers to gain full SYSTEM-level control of affected machines. Discovered by security researcher Manuel Feifel and reported to Broadcom in late 2025, the flaw stems from a hardcoded file path in the agent’s OpenSSL integration, enabling attackers to bypass security controls. ### Exploitation Mechanism The vulnerability arises from the edpa.exe process, which runs with SYSTEM privileges and attempts to load an OpenSSL configuration file from a non-existent directory: `C:\VontuDev\workDir\openssl\output\x64\Release\SSL\openssl.cnf`. Since the `C:\VontuDev` folder does not exist by default, attackers can create it and place a malicious OpenSSL configuration file and DLL in the path. When the DLP Agent restarts, it loads these files, executing the attacker’s code with SYSTEM rights effectively granting full control. This technique is particularly stealthy, as the malicious payload runs within the trusted DLP agent process, evading endpoint security and monitoring tools. ### Affected Versions & Patch Availability The flaw impacts Symantec DLP Agent versions prior to 16.1 MP2 and 25.1 MP1. Broadcom released patches on March 30, 2026, with the following fixed versions: - DLP 25.1 MP1 - DLP 16.1 MP2 - DLP 16.0 RU2 HF9 - DLP 16.0 RU1 MP1 HF12 - DLP 16.0 MP2 HF15 No additional configuration changes are required applying the update fully mitigates the vulnerability. ### Impact & Risk While exploitation requires an attacker to already have basic access to a target system, privilege escalation is a key tactic in ransomware and cyber espionage campaigns. The flaw’s ability to bypass security controls and persist undetected makes it a significant threat to organizations relying on Symantec DLP for data protection.

Oracle E-Business Suite Hack Leaves Four Major Companies Silent on Impact A recent cyberattack targeting Oracle E-Business Suite (EBS) has disrupted organizations reliant on the platform for critical business operations, including finance, supply chain, HR, and procurement. While many companies have responded with public disclosures and mitigation efforts, Broadcom, Bechtel, Estée Lauder, and Abbott Technologies have yet to issue any statements, raising concerns about transparency and crisis management. The breach exposes vulnerabilities in a widely used enterprise software suite, threatening the integrity of sensitive corporate and customer data. Security researchers and incident response teams are assessing the full scope of the compromise, with affected organizations working to determine exposure and prevent follow-on attacks. In contrast to the silent four, other companies have taken proactive steps, including acknowledging the breach, implementing security measures, collaborating with cybersecurity firms, and notifying stakeholders. This approach is considered best practice in handling enterprise-wide software vulnerabilities. The continued silence from Broadcom, Bechtel, Estée Lauder, and Abbott Technologies leaves stakeholders uninformed about potential risks, data protection efforts, and the companies’ cybersecurity commitments. The lack of disclosure may also invite regulatory scrutiny, particularly for publicly traded firms, while risking long-term reputational damage. As cybersecurity incidents grow in frequency and severity, transparent communication is increasingly seen as a corporate obligation both for stakeholder trust and legal compliance. The absence of updates from these four companies underscores a critical gap in modern incident response policies.

Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of Cl0p’s ransomware attack exploiting a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884). The cybercriminal group exfiltrated sensitive corporate and customer data, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking financial records, proprietary business data, and third-party customer information. Cl0p’s extortion tactics included warnings of public disclosure on their blog, torrent leaks, or sales to malicious actors, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed supply chain cascading risks, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including data theft, potential regulatory fines, and erosion of stakeholder trust—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing long-term financial and strategic repercussions if the stolen data is weaponized.

The Cl0p ransomware gang breached Broadcom, a $300+ billion semiconductor and infrastructure software leader, by exploiting an unpatched zero-day vulnerability in Oracle E-Business Suite. This ERP platform manages critical operations, including supply chain, financial systems, and customer data, making it a high-value target. The attackers likely exfiltrated sensitive corporate data (potentially including intellectual property, manufacturing secrets, and customer information) before deploying ransomware, following Cl0p’s typical double-extortion tactic. The breach risks operational disruptions in global manufacturing, regulatory penalties for data exposure, and reputational damage due to the involvement of a notorious ransomware group. The use of a zero-day exploit amplifies the threat, as other organizations using Oracle E-Business Suite may face similar attacks until a patch is released. Broadcom has not confirmed the incident, but the alleged compromise aligns with Cl0p’s pattern of targeting high-value enterprises via unpatched vulnerabilities in widely used software.

A ransomware attack targeted Business Systems House (BSH), a Middle Eastern payroll partner of ADP, in September 2024, leading to the theft of Broadcom’s employee data. The compromised data was leaked online in December 2024, but Broadcom was not notified until May 2025—an eight-month delay. The El Dorado ransomware group claimed responsibility, exploiting Broadcom’s ongoing transition between payroll providers. The breach exposed sensitive employee information, including personal and financial details, while Broadcom was still dependent on ADP and BSH for payroll processing. The incident underscores critical vulnerabilities in third-party supply chain security, particularly during vendor transitions, and highlights the prolonged risks of undetected data exfiltration in ransomware attacks. The delayed disclosure further exacerbated reputational and operational risks for Broadcom, a global semiconductor and infrastructure software leader.

CISA Flags Actively Exploited VMware vCenter Server Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical remote code execution (RCE) vulnerability in Broadcom’s VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog. The move follows confirmed reports of active exploitation in the wild, heightening risks for enterprises using vCenter for virtualization management. The flaw allows attackers with network access to the vCenter Server to execute arbitrary code, potentially gaining full control over the system. No additional user interaction or privileges are required, making it a high-severity threat. Organizations running affected versions of vCenter are urged to prioritize patching, as exploitation could lead to unauthorized access, data breaches, or lateral movement within networks. VMware released patches for the vulnerability earlier this month, but the inclusion in CISA’s KEV catalog underscores its urgency. Federal agencies under CISA’s binding operational directive (BOD 22-01) must remediate the flaw by a specified deadline, though private sector entities are also advised to act swiftly. The incident highlights the growing targeting of virtualization infrastructure, a critical component in enterprise IT environments. Details on attack vectors and threat actors remain limited, but the vulnerability’s inclusion in the KEV catalog signals its immediate operational risk.

Broadcom patched a high-severity privilege escalation vulnerability (CVE-2025-41244) in VMware Aria Operations and VMware Tools, actively exploited since October 2024 by UNC5174, a Chinese state-sponsored threat actor linked to China’s Ministry of State Security (MSS). The flaw allows an unprivileged local attacker to escalate privileges to root-level code execution by staging a malicious binary in paths like `/tmp/httpd` and exploiting VMware’s service discovery mechanism. UNC5174, known for selling network access to U.S. defense contractors, UK government entities, and Asian institutions, previously exploited CVE-2023-46747 (F5 BIG-IP), CVE-2024-1709 (ConnectWise ScreenConnect), and CVE-2025-31324 (SAP NetWeaver).The vulnerability poses a critical risk as it enables full system compromise, potentially allowing attackers to move laterally across networks, steal sensitive data, or deploy additional malware. While no direct data breach or ransomware was confirmed in this case, the exploitation by a state-backed APT group suggests espionage or pre-positioning for future attacks. Broadcom also patched two other high-severity VMware NSX flaws reported by the NSA, indicating a broader pattern of targeted cyber operations against enterprise infrastructure.

Pwn2Own Berlin 2026 Highlights Major Exploits as Zero-Days and Breaches Surge The second and third days of Pwn2Own Berlin 2026 saw researchers earn $385,750 in bounties, pushing the event’s total payout to $1.298 million. Among the notable exploits, Microsoft Exchange Server was successfully compromised, contributing to the growing tally. DEVCORE was crowned "Master of Pwn" after demonstrating multiple high-impact vulnerabilities. In parallel, Chaotic Eclipse disclosed MiniPlasma, a zero-day in Windows, suggesting an incomplete or overlooked security fix from 2020. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server flaw and a Cisco Catalyst SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation risks. A critical 18-year-old flaw (CVE-2026-42945) in NGINX, the world’s most widely deployed web server, was also uncovered, with experts warning of ongoing attacks. Meanwhile, Grafana confirmed a GitHub token breach after a cybercrime group claimed responsibility, while ShinyHunters breached 7-Eleven, exposing franchisee data and Salesforce records. Additional incidents included: - A public Amazon S3 bucket leaking sensitive guest data from Japanese hotel platform Tabiq. - OpenAI suffering a supply chain attack via malicious TanStack packages. - Broadcom releasing a security update for a VMware Fusion root access bug. - The Ghostwriter group resuming cyberattacks on Ukrainian government targets. - Researchers identifying YellowKey and GreenPlasma, two new Windows zero-days. - A Linux Kernel bug (Fragnesia) enabling local root access attacks. - Attackers exploiting a Funnel Builder vulnerability to inject e-skimmers into e-commerce stores. The event underscored persistent threats across enterprise software, cloud services, and critical infrastructure, with zero-days and supply chain attacks remaining dominant vectors.