Broadcom Software
Company Details
Linkedin ID:
broadcomsoftware
Website:
Employees number:
18,118
Number of followers:
46,764
NAICS:
5112
Industry Type:
Homepage:
broadcom.com
IP Addresses:
0
Company ID:
BRO_2606918
Scan Status:
In-progress
Broadcom Software Company CyberSecurity Posture
broadcom.com
Broadcom Software modernizes, optimizes, and protects the world’s most complex hybrid environments. We are a global software leader delivering a comprehensive portfolio of industry-leading business-critical software enabling scalability, agility and security for the largest global companies in the world. Multinational companies with complex hybrid environments need a trusted software partner to help them navigate complexity and move their business forward.
Broadcom Software A.I CyberSecurity Scoring
Broadcom Software Risk Score (AI oriented)Between 750 and 799
Broadcom Software
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Broadcom Software Global Score (TPRM)XXXX
Broadcom Software
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Broadcom Software Company CyberSecurity News & History
Past Incidents
6
Attack Types
3
Broadcom
Ransomware
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A ransomware attack targeted **Business Systems House (BSH)**, a Middle Eastern payroll partner of **ADP**, in **September 2024**, leading to the theft of **Broadcom’s employee data**. The compromised data was leaked online in **December 2024**, but Broadcom was not notified until **May 2025**—an eight-month delay. The **El Dorado ransomware group** claimed responsibility, exploiting Broadcom’s ongoing transition between payroll providers. The breach exposed sensitive employee information, including personal and financial details, while Broadcom was still dependent on ADP and BSH for payroll processing. The incident underscores critical vulnerabilities in **third-party supply chain security**, particularly during vendor transitions, and highlights the prolonged risks of undetected data exfiltration in ransomware attacks. The delayed disclosure further exacerbated reputational and operational risks for Broadcom, a global semiconductor and infrastructure software leader.
Broadcom
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of **Cl0p’s ransomware attack** exploiting a **zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884)**. The cybercriminal group **exfiltrated sensitive corporate and customer data**, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking **financial records, proprietary business data, and third-party customer information**. Cl0p’s extortion tactics included warnings of **public disclosure on their blog, torrent leaks, or sales to malicious actors**, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed **supply chain cascading risks**, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including **data theft, potential regulatory fines, and erosion of stakeholder trust**—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing **long-term financial and strategic repercussions** if the stolen data is weaponized.
Broadcom
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The **Cl0p ransomware gang** breached **Broadcom**, a $300+ billion semiconductor and infrastructure software leader, by exploiting an **unpatched zero-day vulnerability in Oracle E-Business Suite**. This ERP platform manages critical operations, including **supply chain, financial systems, and customer data**, making it a high-value target. The attackers likely **exfiltrated sensitive corporate data** (potentially including **intellectual property, manufacturing secrets, and customer information**) before deploying ransomware, following Cl0p’s typical double-extortion tactic. The breach risks **operational disruptions in global manufacturing**, **regulatory penalties for data exposure**, and **reputational damage** due to the involvement of a notorious ransomware group. The use of a **zero-day exploit** amplifies the threat, as other organizations using Oracle E-Business Suite may face similar attacks until a patch is released. Broadcom has not confirmed the incident, but the alleged compromise aligns with Cl0p’s pattern of targeting **high-value enterprises** via unpatched vulnerabilities in widely used software.
Broadcom (VMware)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Broadcom patched a **high-severity privilege escalation vulnerability (CVE-2025-41244)** in **VMware Aria Operations** and **VMware Tools**, actively exploited since **October 2024** by **UNC5174**, a **Chinese state-sponsored threat actor** linked to China’s Ministry of State Security (MSS). The flaw allows an **unprivileged local attacker** to escalate privileges to **root-level code execution** by staging a malicious binary in paths like `/tmp/httpd` and exploiting VMware’s service discovery mechanism. UNC5174, known for selling network access to **U.S. defense contractors, UK government entities, and Asian institutions**, previously exploited **CVE-2023-46747 (F5 BIG-IP)**, **CVE-2024-1709 (ConnectWise ScreenConnect)**, and **CVE-2025-31324 (SAP NetWeaver)**.The vulnerability poses a **critical risk** as it enables **full system compromise**, potentially allowing attackers to **move laterally across networks**, **steal sensitive data**, or **deploy additional malware**. While no **direct data breach or ransomware** was confirmed in this case, the exploitation by a **state-backed APT group** suggests **espionage or pre-positioning for future attacks**. Broadcom also patched **two other high-severity VMware NSX flaws** reported by the **NSA**, indicating a broader pattern of **targeted cyber operations** against enterprise infrastructure.
Symantec
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Security firm Symantec was attacked by a hacker back in February 2021 in which the hackers extracted some of the data. This comprises not only passwords but a list of Symantec clients -- including government agencies. The hacker was able to access a list of clients using Symantec's CloudSOC services, account managers and account numbers.
Symantec
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
Broadcom Software Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Broadcom Software
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Broadcom Software in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Broadcom Software in 2025.
Incident Types Broadcom Software vs Software Development Industry Avg (This Year)
No incidents recorded for Broadcom Software in 2025.
Incident History — Broadcom Software (X = Date, Y = Severity)
Broadcom Software cyber incidents detection timeline including parent company and subsidiaries
Broadcom Software Company Subsidiaries
Broadcom Software modernizes, optimizes, and protects the world’s most complex hybrid environments. We are a global software leader delivering a comprehensive portfolio of industry-leading business-critical software enabling scalability, agility and security for the largest global companies in the world. Multinational companies with complex hybrid environments need a trusted software partner to help them navigate complexity and move their business forward.
Loading...
Broadcom Software Similar Companies
Zoho
Zoho offers beautifully smart software to help you grow your business. With over 100 million users worldwide, Zoho's 55+ products aid your sales and marketing, support and collaboration, finance, and recruitment needs—letting you focus only on your business. Zoho respects user privacy and does not h
ByteDance
ByteDance is a global incubator of platforms at the cutting edge of commerce, content, entertainment and enterprise services - over 2.5bn people interact with ByteDance products including TikTok. Creation is the core of ByteDance's purpose. Our products are built to help imaginations thrive. This i
Agoda
At Agoda, we bridge the world through travel. We aim to make it easy and rewarding for more travelers to explore and experience the amazing world we live in. We do so by enabling more people to see the world for less – with our best-value deals across our 4,700,000+ hotels and holiday properties, 13
DiDi
DiDi Global Inc. is a leading mobility technology platform. It offers a wide range of app-based services across Asia Pacific, Latin America, and other global markets, including ride hailing, taxi hailing, designated driving, hitch and other forms of shared mobility as well as certain energy and vehi
KPIT
About KPIT KPIT is reimagining the future of mobility, forging ahead with group companies and partners to shape a world that is cleaner, smarter, and safer. With over 25 years of specialized expertise in Mobility, KPIT is accelerating the transformation towards Software and AI-Defined Vehicles thr
Starting our journey in 2011, today, bigbasket - a Tata Enterprise is India’s largest online supermarket with over 13 million customers and a presence in 60+ cities & towns. With our presence spanning the entire spectrum of consumer needs, we operate through a range of business lines - bigbasket, bb
VMware by Broadcom delivers software that unifies and streamlines hybrid cloud environments for the world’s most complex organizations. By combining public-cloud scale and agility with private-cloud security and performance, we empower our customers to modernize, optimize and protect their apps an
The Bosch Group is a leading global supplier of technology and services. It employs roughly 417,900 associates worldwide (as of December 31, 2024). According to preliminary figures, the company generated sales of 90.5 billion euros in 2024. Its operations are divided into four business sectors: Mobi
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
.png)
Broadcom Software CyberSecurity News
November 21, 2025 01:55 PM
Clop Ransomware Allegedly Breached Broadcom via E-Business Suite 0-Day Hack
The notorious Cl0p ransomware gang has publicly claimed responsibility for breaching Broadcom, a leading semiconductor and infrastructure software company...
November 21, 2025 08:00 AM
Broadcom Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack
A ransomware group says it hacked Broadcom's internal systems using Oracle E-Business Suite flaws they are currently attacking.
November 21, 2025 08:00 AM
Broadcom (AVGO) Stock Today: Quantum‑Safe Breakthrough, Ransomware Claim and AI Momentum – November 21, 2025
Broadcom (NASDAQ: AVGO) finds itself at the center of multiple storylines today: a world‑first quantum‑safe data‑center networking launch,...
November 04, 2025 08:00 AM
Open-source VMware deserters in zombie software risk
A large number of VMware users who have opted for an open-source alternative may be operating on outdated software. A report from RunZero...
August 21, 2025 07:00 AM
Broadcom Delivers Comprehensive Day One Support for z/OS 3.2
Progress is built on preparation. Nowhere is that principle more critical than in the enterprise environments that rely on the Mainframe.
July 21, 2025 07:00 AM
AVGO vs. OKTA: Which Enterprise Security Software Stock is a Buy?
Broadcom AVGO and Okta OKTA are key providers of security software solutions for enterprises. AVGO offers Endpoint Security (Symantec and...
July 06, 2025 07:00 AM
3 Top Cybersecurity Stocks to Buy in July
Cyberattacks are a global problem that is just going to get worse as the world becomes more interconnected. Through malware, ransomware...
July 02, 2025 07:00 AM
Dubai Airports Elevates Operations with Broadcom Software Solutions
Dubai Airports, operator of Dubai International (DXB), the world's top airport for international passenger traffic and Dubai World Central...
June 29, 2025 12:58 AM
Broadcom is rumored to be in talks to acquire cybersecurity firm Symantec
Bloomberg has reported Broadcom is in “advanced talks” to acquire security software firm Symantec. Broadcom wants to expand its business into the “more...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Broadcom Software CyberSecurity History Information
Official Website of Broadcom Software
The official website of Broadcom Software is https://software.broadcom.com/.
Broadcom Software’s AI-Generated Cybersecurity Score
According to Rankiteo, Broadcom Software’s AI-generated cybersecurity score is 772, reflecting their Fair security posture.
How many security badges does Broadcom Software’ have ?
According to Rankiteo, Broadcom Software currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Broadcom Software have SOC 2 Type 1 certification ?
According to Rankiteo, Broadcom Software is not certified under SOC 2 Type 1.
Does Broadcom Software have SOC 2 Type 2 certification ?
According to Rankiteo, Broadcom Software does not hold a SOC 2 Type 2 certification.
Does Broadcom Software comply with GDPR ?
According to Rankiteo, Broadcom Software is not listed as GDPR compliant.
Does Broadcom Software have PCI DSS certification ?
According to Rankiteo, Broadcom Software does not currently maintain PCI DSS compliance.
Does Broadcom Software comply with HIPAA ?
According to Rankiteo, Broadcom Software is not compliant with HIPAA regulations.
Does Broadcom Software have ISO 27001 certification ?
According to Rankiteo,Broadcom Software is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Broadcom Software
Broadcom Software operates primarily in the Software Development industry.
Number of Employees at Broadcom Software
Broadcom Software employs approximately 18,118 people worldwide.
Subsidiaries Owned by Broadcom Software
Broadcom Software presently has no subsidiaries across any sectors.
Broadcom Software’s LinkedIn Followers
Broadcom Software’s official LinkedIn profile has approximately 46,764 followers.
NAICS Classification of Broadcom Software
Broadcom Software is classified under the NAICS code 5112, which corresponds to Software Publishers.
Broadcom Software’s Presence on Crunchbase
No, Broadcom Software does not have a profile on Crunchbase.
Broadcom Software’s Presence on LinkedIn
Yes, Broadcom Software maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/broadcomsoftware.
Cybersecurity Incidents Involving Broadcom Software
As of December 14, 2025, Rankiteo reports that Broadcom Software has experienced 6 cybersecurity incidents.
Number of Peer and Competitor Companies
Broadcom Software has an estimated 27,675 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Broadcom Software ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Ransomware and Breach.
How does Broadcom Software detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (broadcom patch release), and third party assistance with nviso (vulnerability reporting and poc), third party assistance with google mandiant (threat actor analysis), and containment measures with patch release for cve-2025-41244, containment measures with previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), containment measures with nsx vulnerabilities patched (november 2024), and network segmentation with recommended for organizations using oracle e-business suite, and enhanced monitoring with recommended: review security logs for unauthorized access, deploy edr solutions, and and third party assistance with mandiant (google-owned cybersecurity firm), and containment measures with oracle security patches (cve-2025-61882, cve-2025-21884), and remediation measures with patch application for oracle ebs vulnerabilities, and communication strategy with oracle security alerts to customers, communication strategy with public disclosure via media..
Incident Details
Can you provide details on each incident ?
Title: Symantec Data Breach
Description: Security firm Symantec was attacked by a hacker in February 2021, resulting in the extraction of data including passwords and a list of Symantec clients, including government agencies.
Date Detected: 2021-02-01
Type: Data Breach
Title: Symantec and Norton Vulnerabilities Identified by Tavis Ormandy
Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
Type: Vulnerability Exploit
Attack Vector: Executable File
Vulnerability Exploited: File Decompression in Kernel
Motivation: Data Theft
Title: Broadcom Patches High-Severity VMware Aria Operations and VMware Tools Privilege Escalation Vulnerability (CVE-2025-41244) Exploited by UNC5174
Description: Broadcom has patched a high-severity privilege escalation vulnerability (CVE-2025-41244) in its VMware Aria Operations and VMware Tools software, exploited in zero-day attacks since October 2024. The vulnerability allows unprivileged local attackers to escalate privileges to root-level code execution by staging a malicious binary in broadly-matched regex paths (e.g., /tmp/httpd). The attacks have been linked to the Chinese state-sponsored threat actor UNC5174, a contractor for China's Ministry of State Security (MSS). NVISO released a proof-of-concept exploit demonstrating the flaw's exploitation.
Date Detected: 2024-05-01
Date Publicly Disclosed: 2024-11-05
Type: Privilege Escalation
Attack Vector: LocalMalicious Binary StagingService Discovery Abuse
Vulnerability Exploited: CVE-2025-41244 (VMware Aria Operations and VMware Tools Privilege Escalation)
Threat Actor: UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS)
Motivation: EspionageFinancial Gain (selling network access)Cyber Warfare
Title: Ransomware Attack on Business Systems House (BSH) Leading to Broadcom Employee Data Theft
Description: A ransomware attack on Business Systems House (BSH), a Middle Eastern partner of payroll provider ADP, resulted in the theft of Broadcom employee data in September 2024. The data was leaked online in December 2024, but Broadcom was not informed until May 2025. The El Dorado ransomware group claimed responsibility. The breach occurred during Broadcom's transition away from ADP and BSH as payroll providers.
Date Detected: 2024-09
Date Publicly Disclosed: 2025-05
Type: ransomware
Attack Vector: third-party vendor (BSH, a regional partner of ADP)
Threat Actor: El Dorado ransomware group
Motivation: financial gaindata theft
Title: Cl0p Ransomware Gang Claims Breach of Broadcom via Zero-Day in Oracle E-Business Suite
Description: The Cl0p ransomware gang has publicly claimed responsibility for breaching Broadcom, a leading semiconductor and infrastructure software company. The attackers allegedly exploited an unpatched zero-day vulnerability in Oracle E-Business Suite to gain initial access. The incident follows a pattern of Cl0p targeting high-value enterprise systems using zero-day and known vulnerabilities. Broadcom has not issued an official statement, and the claim remains unverified by independent security researchers. The vulnerability allows arbitrary code execution, persistent access, and lateral movement across corporate networks. Cl0p is known for combining zero-day exploitation with credential theft and data exfiltration before deploying ransomware.
Type: ransomware
Attack Vector: zero-day vulnerability in Oracle E-Business Suitearbitrary code executionlateral movementcredential theftdata exfiltration
Vulnerability Exploited: Unpatched zero-day vulnerability in Oracle E-Business Suite (arbitrary code execution)
Threat Actor: Cl0p ransomware gang
Motivation: financial gain (ransomware)data theft for extortiondisruption of high-value enterprise targets
Title: Cl0p Exploits Zero-Day Vulnerabilities in Oracle E-Business Suite Leading to Massive Data Breaches
Description: The cybercriminal group Cl0p exploited two zero-day vulnerabilities (CVE-2025-61882 and CVE-2025-21884) in Oracle’s E-Business Suite (EBS), leading to data breaches in over 100 companies, including Broadcom, Estée Lauder, Mazda, and Canon. The group demanded significant ransom payments, threatening to leak or sell exfiltrated data if unpaid. Oracle issued security patches, but the attacks had already compromised sensitive corporate and customer data across multiple industries and geographies.
Date Detected: 2023-09-01
Date Publicly Disclosed: 2023-11-20
Type: Ransomware
Attack Vector: Zero-Day Exploit (CVE-2025-61882, CVE-2025-21884)Unauthenticated HTTP RequestsData Exfiltration
Threat Actor: Cl0p (Clop)
Motivation: Financial Gain (Ransomware Extortion)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Executable File, Exploitation of CVE-2025-41244 (privilege escalation via /tmp/httpd)Previous exploits: CVE-2023-46747 (F5 BIG-IP), CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2025-31324 (NetWeaver Visual Composer), unpatched zero-day vulnerability in Oracle E-Business Suite, Zero-day vulnerabilities in Oracle EBS (CVE-2025-61882 and CVE-2025-21884).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach SYM1336271222
Data Compromised: Passwords, List of symantec clients, Government agencies, List of clients using symantec's cloudsoc services, Account managers, Account numbers
Incident : Vulnerability Exploit SYM44121823
Systems Affected: Symantec Enterprise Products
Incident : Privilege Escalation BRO4592445093025
Systems Affected: VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode)
Operational Impact: Potential root-level code execution on vulnerable VMs, leading to full system compromise
Brand Reputation Impact: High (zero-day exploitation by state-sponsored actor, multiple high-profile vulnerabilities in 2024)
Incident : ransomware BRO3362533111725
Data Compromised: Broadcom employee data
Brand Reputation Impact: negative (ripples through tech and cybersecurity community)
Identity Theft Risk: potential (employee data exposed)
Incident : ransomware BRO0893008112125
Systems Affected: Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data
Operational Impact: potential disruption of manufacturing operationssupply chain interruptionsglobal infrastructure risks
Brand Reputation Impact: high (targeting a $300B+ company)potential loss of trust in supply chain security
Legal Liabilities: potential regulatory compliance violations (e.g., data protection laws)
Incident : Ransomware BRO3105131112625
Systems Affected: Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14
Operational Impact: Significant (data exfiltration, potential system compromise)
Brand Reputation Impact: High (public disclosure of breaches, ransom demands)
Identity Theft Risk: High (PII and sensitive corporate data exfiltrated)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Passwords, List Of Symantec Clients, Government Agencies, List Of Clients Using Symantec'S Cloudsoc Services, Account Managers, Account Numbers, , Employee Data, , Potential: Corporate Data (Supply Chain, Financial, Customer), Intellectual Property (Research Data), , Corporate Data, Customer Data, Sensitive Business Information and .
Which entities were affected by each incident ?
Incident : Data Breach SYM1336271222
Entity Name: Symantec
Entity Type: Security Firm
Industry: Cybersecurity
Incident : Vulnerability Exploit SYM44121823
Entity Name: Symantec
Entity Type: Company
Industry: Cybersecurity
Incident : Privilege Escalation BRO4592445093025
Entity Name: Broadcom (VMware)
Entity Type: Technology Corporation
Industry: Software/Cloud Infrastructure
Location: United States (Global Operations)
Size: Large Enterprise
Incident : Privilege Escalation BRO4592445093025
Entity Name: U.S. Defense Contractors (via UNC5174 access sales)
Entity Type: Private/Government Contractors
Industry: Defense
Location: United States
Incident : Privilege Escalation BRO4592445093025
Entity Name: UK Government Entities (via UNC5174 access sales)
Entity Type: Government
Industry: Public Sector
Location: United Kingdom
Incident : Privilege Escalation BRO4592445093025
Entity Name: Asian Institutions (via UNC5174 access sales)
Entity Type: Government/Private
Industry: Multiple Sectors
Location: Asia
Incident : Privilege Escalation BRO4592445093025
Entity Name: U.S. and Canadian Institutions (via CVE-2024-1709 exploitation)
Entity Type: Multiple
Industry: Multiple Sectors
Location: United States, Canada
Customers Affected: Hundreds (per February 2024 attacks)
Incident : ransomware BRO3362533111725
Entity Name: Broadcom Inc.
Entity Type: multinational corporation
Industry: semiconductor, infrastructure software
Location: global (HQ in San Jose, California, USA)
Incident : ransomware BRO3362533111725
Entity Name: Business Systems House (BSH)
Entity Type: regional payroll service provider
Industry: payroll services
Location: Middle East
Customers Affected: Broadcom employees (data compromised)
Incident : ransomware BRO3362533111725
Entity Name: ADP (Automatic Data Processing)
Entity Type: payroll services giant
Industry: HR and payroll services
Location: global (HQ in Roseland, New Jersey, USA)
Incident : ransomware BRO0893008112125
Entity Name: Broadcom Inc.
Entity Type: public company
Industry: semiconductor manufacturing, infrastructure software
Location: global (HQ: San Jose, California, USA)
Size: $300+ billion market cap
Incident : Ransomware BRO3105131112625
Entity Name: Oracle
Entity Type: Corporation
Industry: Technology (Enterprise Software)
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Broadcom
Entity Type: Corporation
Industry: Semiconductors/Technology
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Estée Lauder Companies
Entity Type: Corporation
Industry: Cosmetics/Retail
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Mazda
Entity Type: Corporation
Industry: Automotive
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Canon
Entity Type: Corporation
Industry: Technology/Imaging
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Michelin
Entity Type: Corporation
Industry: Automotive/Tires
Location: France
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Humana
Entity Type: Corporation
Industry: Healthcare/Insurance
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Fruit of the Loom
Entity Type: Corporation
Industry: Apparel
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Abbott Laboratories
Entity Type: Corporation
Industry: Healthcare/Pharmaceuticals
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Grupo Bimbo
Entity Type: Corporation
Industry: Food/Baking
Location: Mexico
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: A10 Networks
Entity Type: Corporation
Industry: Technology/Networking
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Envoy
Entity Type: Corporation
Industry: Technology/Workplace Solutions
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Greater Cleveland RTA
Entity Type: Government Agency
Industry: Transportation
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Frontrol
Entity Type: Corporation
Industry: Technology/Security
Incident : Ransomware BRO3105131112625
Entity Name: MAS Holdings
Entity Type: Corporation
Industry: Apparel/Manufacturing
Location: Sri Lanka
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Trane Technologies
Entity Type: Corporation
Industry: HVAC/Manufacturing
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Treet Corp
Entity Type: Corporation
Industry: Manufacturing
Incident : Ransomware BRO3105131112625
Entity Name: University of Phoenix
Entity Type: Educational Institution
Industry: Education
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: L&L Products
Entity Type: Corporation
Industry: Automotive/Manufacturing
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Worley
Entity Type: Corporation
Industry: Engineering/Consulting
Location: Australia
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Fleet Management Limited
Entity Type: Corporation
Industry: Logistics/Transportation
Incident : Ransomware BRO3105131112625
Entity Name: Alshaya Group
Entity Type: Corporation
Industry: Retail/Hospitality
Location: Kuwait
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Bechtel Corporation
Entity Type: Corporation
Industry: Construction/Engineering
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: WellBiz Brands, Inc.
Entity Type: Corporation
Industry: Retail/Wellness
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Dooney & Bourke
Entity Type: Corporation
Industry: Luxury Accessories
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Greenball
Entity Type: Corporation
Industry: Manufacturing
Incident : Ransomware BRO3105131112625
Entity Name: Sumitomo Chemical
Entity Type: Corporation
Industry: Chemicals
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Aljomaih Automotive Company (AAC)
Entity Type: Corporation
Industry: Automotive
Location: Saudi Arabia
Size: Large
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Privilege Escalation BRO4592445093025
Incident Response Plan Activated: Yes (Broadcom patch release)
Third Party Assistance: Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis).
Containment Measures: Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024)
Incident : ransomware BRO0893008112125
Network Segmentation: ['recommended for organizations using Oracle E-Business Suite']
Enhanced Monitoring: recommended: review security logs for unauthorized access, deploy EDR solutions
Incident : Ransomware BRO3105131112625
Incident Response Plan Activated: True
Third Party Assistance: Mandiant (Google-Owned Cybersecurity Firm).
Containment Measures: Oracle security patches (CVE-2025-61882, CVE-2025-21884)
Remediation Measures: Patch application for Oracle EBS vulnerabilities
Communication Strategy: Oracle security alerts to customersPublic disclosure via media
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Broadcom patch release), .
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through NVISO (vulnerability reporting and PoC), Google Mandiant (threat actor analysis), , Mandiant (Google-owned cybersecurity firm), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SYM1336271222
Type of Data Compromised: Passwords, List of symantec clients, Government agencies, List of clients using symantec's cloudsoc services, Account managers, Account numbers
Incident : ransomware BRO3362533111725
Type of Data Compromised: Employee data
Sensitivity of Data: high (employee records)
Data Exfiltration: yes (leaked online in December 2024)
Personally Identifiable Information: likely (employee data)
Incident : ransomware BRO0893008112125
Type of Data Compromised: Potential: corporate data (supply chain, financial, customer), Intellectual property (research data)
Sensitivity of Data: high (enterprise resource planning data)potentially confidential (manufacturing, R&D)
Data Exfiltration: claimed by Cl0p (typical tactic before ransomware deployment)
Incident : Ransomware BRO3105131112625
Type of Data Compromised: Corporate data, Customer data, Sensitive business information
Sensitivity of Data: High
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patch application for Oracle EBS vulnerabilities, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by patch release for cve-2025-41244, previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), nsx vulnerabilities patched (november 2024), , oracle security patches (cve-2025-61882, cve-2025-21884) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : ransomware BRO0893008112125
Ransomware Strain: Cl0p
Data Encryption: ['likely (standard Cl0p tactic post-exfiltration)']
Data Exfiltration: ['claimed (pre-ransomware deployment)']
Incident : Ransomware BRO3105131112625
Ransom Demanded: True
Ransomware Strain: Cl0p (Clop)
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Privilege Escalation BRO4592445093025
Lessons Learned: 1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.
Incident : ransomware BRO0893008112125
Lessons Learned: Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time., High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact., Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks., Supply chain and ERP systems are attractive targets due to their central role in business operations.
Incident : Ransomware BRO3105131112625
Lessons Learned: Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
What recommendations were made to prevent future incidents ?
Incident : Privilege Escalation BRO4592445093025
Recommendations: Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.
Incident : ransomware BRO0893008112125
Recommendations: Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.
Incident : Ransomware BRO3105131112625
Recommendations: Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are 1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time.,High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact.,Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks.,Supply chain and ERP systems are attractive targets due to their central role in business operations.Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
References
Where can I find more information about each incident ?
Incident : Privilege Escalation BRO4592445093025
Source: NVISO Research (Maxime Thiebaut)
Date Accessed: 2024-11-04
Incident : Privilege Escalation BRO4592445093025
Source: Google Mandiant (UNC5174 Analysis)
Incident : Privilege Escalation BRO4592445093025
Source: Broadcom Security Advisory for CVE-2025-41244
Date Accessed: 2024-11-05
Incident : Privilege Escalation BRO4592445093025
Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024)
Incident : ransomware BRO3362533111725
Source: The Register
Incident : ransomware BRO0893008112125
Source: GBHackers (GBH)
Incident : Ransomware BRO3105131112625
Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Incident : Ransomware BRO3105131112625
Source: UK National Cyber Security Centre (NCSC)
Incident : Ransomware BRO3105131112625
Source: Mandiant (Google-owned cybersecurity firm)
Incident : Ransomware BRO3105131112625
Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884)
Incident : Ransomware BRO3105131112625
Source: Z2Data Supplier Risk Analysis
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: BleepingComputerDate Accessed: 2024-11-05, and Source: NVISO Research (Maxime Thiebaut)Date Accessed: 2024-11-04, and Source: Google Mandiant (UNC5174 Analysis), and Source: Broadcom Security Advisory for CVE-2025-41244Date Accessed: 2024-11-05, and Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024), and Source: The Register, and Source: GBHackers (GBH), and Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Source: UK National Cyber Security Centre (NCSC), and Source: Mandiant (Google-owned cybersecurity firm), and Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), and Source: Z2Data Supplier Risk AnalysisUrl: https://www.z2data.com.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Privilege Escalation BRO4592445093025
Investigation Status: Ongoing (patch released; threat actor activity under monitoring)
Incident : ransomware BRO3362533111725
Investigation Status: disclosed (May 2025)
Incident : ransomware BRO0893008112125
Investigation Status: unverified (claimed by Cl0p, no official statement from Broadcom; independent verification pending)
Incident : Ransomware BRO3105131112625
Investigation Status: Ongoing (Cl0p’s data leak timeline suggests delayed public exposure)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Oracle Security Alerts To Customers and Public Disclosure Via Media.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Privilege Escalation BRO4592445093025
Customer Advisories: Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article.
Incident : Ransomware BRO3105131112625
Stakeholder Advisories: Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi.
Customer Advisories: Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article., Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi, Companies Advised To Monitor For Data Leaks On Cl0P’S Blog Or Dark Web Marketplaces and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Vulnerability Exploit SYM44121823
Entry Point: Executable File
Incident : Privilege Escalation BRO4592445093025
Entry Point: Exploitation Of Cve-2025-41244 (Privilege Escalation Via /Tmp/Httpd), Previous Exploits: Cve-2023-46747 (F5 Big-Ip), Cve-2024-1709 (Connectwise Screenconnect), Cve-2025-31324 (Netweaver Visual Composer),
Backdoors Established: Likely (based on UNC5174's history of selling network access)
High Value Targets: U.S. Defense Contractors, Uk Government Entities, Asian Institutions, Critical Infrastructure (Uk/Us Via Sap Netweaver Attacks),
Data Sold on Dark Web: U.S. Defense Contractors, Uk Government Entities, Asian Institutions, Critical Infrastructure (Uk/Us Via Sap Netweaver Attacks),
Incident : ransomware BRO3362533111725
High Value Targets: Broadcom Employee Data,
Data Sold on Dark Web: Broadcom Employee Data,
Incident : ransomware BRO0893008112125
Entry Point: unpatched zero-day vulnerability in Oracle E-Business Suite
Backdoors Established: ['likely (Cl0p tactic for persistence)']
High Value Targets: Broadcom'S Manufacturing Operations, Research Data, Customer Information, Supply Chain Systems,
Data Sold on Dark Web: Broadcom'S Manufacturing Operations, Research Data, Customer Information, Supply Chain Systems,
Incident : Ransomware BRO3105131112625
Entry Point: Zero-Day Vulnerabilities In Oracle Ebs (Cve-2025-61882, Cve-2025-21884),
Reconnaissance Period: Since late September 2023 (pre-exploitation activity)
High Value Targets: Fortune 500 Companies (E.G., Broadcom, Estée Lauder), Multinational Corporations With Oracle Ebs Dependencies,
Data Sold on Dark Web: Fortune 500 Companies (E.G., Broadcom, Estée Lauder), Multinational Corporations With Oracle Ebs Dependencies,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Privilege Escalation BRO4592445093025
Root Causes: Privilege Escalation Vulnerability In Vmware Service Discovery Mechanism (Broad Regex Path Matching)., Insufficient Validation Of Unprivileged User Processes Opening Listening Sockets., Delayed Public Disclosure Of In-The-Wild Exploitation (Attacks Began In October 2024; Patch/Report In November 2024)., Reuse Of Exploit Techniques Across Multiple Vulnerabilities (E.G., Cve-2023-46747, Cve-2024-1709) By Unc5174.,
Corrective Actions: Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software.,
Incident : ransomware BRO3362533111725
Root Causes: Third-Party Vendor Vulnerability (Bsh), Supply Chain Risk During Transition Period,
Incident : ransomware BRO0893008112125
Root Causes: Use Of Unpatched Enterprise Software (Oracle E-Business Suite) With Zero-Day Vulnerability., Potential Lack Of Network Segmentation Allowing Lateral Movement., Targeting By A Sophisticated Threat Actor (Cl0P) With A History Of Exploiting Zero-Days.,
Incident : Ransomware BRO3105131112625
Root Causes: Unpatched Zero-Day Vulnerabilities In Oracle Ebs (Cve-2025-61882, Cve-2025-21884)., Lack Of Real-Time Monitoring For Unauthenticated Http Requests Targeting Critical Components (Bi Publisher, Configurator Ui)., Supplier Risk Blind Spots In Enterprise Software Supply Chains.,
Corrective Actions: Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis), , Recommended: Review Security Logs For Unauthorized Access, Deploy Edr Solutions, , Mandiant (Google-Owned Cybersecurity Firm), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software., , Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities., .
Additional Questions
General Information
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was True.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS), El Dorado ransomware group, Cl0p ransomware gang and Cl0p (Clop).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2021-02-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-11-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers, account numbers, , Broadcom employee data, and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Symantec Enterprise Products and VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode) and Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data and Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was nviso (vulnerability reporting and poc), google mandiant (threat actor analysis), , mandiant (google-owned cybersecurity firm), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024), Oracle security patches (CVE-2025-61882 and CVE-2025-21884).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were passwords, account numbers, government agencies, list of Symantec clients, Broadcom employee data, account managers and list of clients using Symantec's CloudSOC services.
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was True.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Supply chain and ERP systems are attractive targets due to their central role in business operations., Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct regular vulnerability assessments for critical ERP and supply chain systems., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular audits of enterprise software for zero-day vulnerabilities., Apply security patches for Oracle E-Business Suite as soon as they are released., Prepare incident response plans specifically for ransomware and zero-day scenarios., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Deploy endpoint detection and response (EDR) solutions for early threat detection., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Implement network segmentation to limit lateral movement in case of breach., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors., Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations. and Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are GBHackers (GBH), Microsoft Threat Intelligence (VMware Zero-Days, March 2024), Z2Data Supplier Risk Analysis, Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), Google Mandiant (UNC5174 Analysis), The Register, Mandiant (Google-owned cybersecurity firm), UK National Cyber Security Centre (NCSC), NVISO Research (Maxime Thiebaut), BleepingComputer, U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Broadcom Security Advisory for CVE-2025-41244.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.z2data.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (patch released; threat actor activity under monitoring).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Oracle security alerts urging immediate patching, Mandiant’s analysis of Cl0p’s modus operandi, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article. and Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an unpatched zero-day vulnerability in Oracle E-Business Suite and Executable File.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Since late September 2023 (pre-exploitation activity).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Privilege escalation vulnerability in VMware service discovery mechanism (broad regex path matching).Insufficient validation of unprivileged user processes opening listening sockets.Delayed public disclosure of in-the-wild exploitation (attacks began in October 2024; patch/report in November 2024).Reuse of exploit techniques across multiple vulnerabilities (e.g., CVE-2023-46747, CVE-2024-1709) by UNC5174., third-party vendor vulnerability (BSH)supply chain risk during transition period, Use of unpatched enterprise software (Oracle E-Business Suite) with zero-day vulnerability.Potential lack of network segmentation allowing lateral movement.Targeting by a sophisticated threat actor (Cl0p) with a history of exploiting zero-days., Unpatched zero-day vulnerabilities in Oracle EBS (CVE-2025-61882, CVE-2025-21884).Lack of real-time monitoring for unauthenticated HTTP requests targeting critical components (BI Publisher, Configurator UI).Supplier risk blind spots in enterprise software supply chains..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Broadcom released patches for CVE-2025-41244 and related VMware NSX vulnerabilities.NVISO published PoC to aid detection and mitigation.Organizations advised to audit VMware environments for signs of exploitation (e.g., suspicious /tmp/httpd binaries).Enhanced monitoring for UNC5174 TTPs (tactics, techniques, procedures) across enterprise software., Immediate application of Oracle-provided security patches.Enhanced supplier risk assessments using SCRM platforms (e.g., Z2Data).Implementation of behavioral WAFs or anomaly detection for Oracle EBS environments.Review of third-party software dependencies for similar vulnerabilities..
.png)
Latest Global CVEs (Not Company-Specific)
Description
A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited.
Risk Information
cvss2
Base: 2.6
Severity: HIGH
AV:N/AC:H/Au:N/C:N/I:P/A:N
cvss3
Base: 3.7
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss4
Base: 6.3
Severity: HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Risk Information
cvss2
Base: 7.5
Severity: LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
cvss3
Base: 7.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=broadcomsoftware' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
