Symantec
Company Details
Linkedin ID:
symantec
Employees number:
11,988
Number of followers:
442,786
NAICS:
5112
Industry Type:
Homepage:
broadcom.com
IP Addresses:
0
Company ID:
SYM_1101791
Scan Status:
In-progress
Symantec Company CyberSecurity Posture
broadcom.com
Your backstage pass to the most epic cybersecurity solutions on the market for Endpoint, Network, Data and Cloud security. Featuring worldwide (yet local-to-you) partner experts with the chops to deliver enterprise-grade security, whether you're a solo act or a supergroup. Be first in line to experience defense that goes to 11. Hit us up: https://engage.broadcom.com/ESG-contact-us
Symantec A.I CyberSecurity Scoring
Symantec Risk Score (AI oriented)Between 750 and 799
Symantec
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Symantec Global Score (TPRM)XXXX
Symantec
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Symantec Company CyberSecurity News & History
Past Incidents
8
Attack Types
3
Broadcom
Ransomware
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: U.S.-based semiconductor giant **Broadcom** suffered a **third-party ransomware attack** in September, targeting **Business Systems House (BSH)**, a partner of its former payroll provider **ADP**. The breach, attributed to the **El Dorado ransomware gang** (linked to BlackLock), resulted in the theft of **Middle Eastern employees' sensitive data**, including birthdates, email addresses, phone numbers, home addresses, national ID numbers, health insurance details (IDs, policy numbers), financial account numbers, salary information, and employment termination dates. While ADP clarified that only a **'small subset' of clients in select Middle Eastern countries** were affected and denied direct involvement or ransom payments, the incident occurred during Broadcom’s transition to a new payroll provider. The full scope of the breach remains undisclosed, but the compromised data poses significant risks of identity theft, financial fraud, and reputational harm to affected employees.
Broadcom
Ransomware
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A ransomware attack targeted **Business Systems House (BSH)**, a Middle Eastern payroll partner of **ADP**, in **September 2024**, leading to the theft of **Broadcom’s employee data**. The compromised data was leaked online in **December 2024**, but Broadcom was not notified until **May 2025**—an eight-month delay. The **El Dorado ransomware group** claimed responsibility, exploiting Broadcom’s ongoing transition between payroll providers. The breach exposed sensitive employee information, including personal and financial details, while Broadcom was still dependent on ADP and BSH for payroll processing. The incident underscores critical vulnerabilities in **third-party supply chain security**, particularly during vendor transitions, and highlights the prolonged risks of undetected data exfiltration in ransomware attacks. The delayed disclosure further exacerbated reputational and operational risks for Broadcom, a global semiconductor and infrastructure software leader.
Broadcom
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of **Cl0p’s ransomware attack** exploiting a **zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884)**. The cybercriminal group **exfiltrated sensitive corporate and customer data**, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking **financial records, proprietary business data, and third-party customer information**. Cl0p’s extortion tactics included warnings of **public disclosure on their blog, torrent leaks, or sales to malicious actors**, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed **supply chain cascading risks**, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including **data theft, potential regulatory fines, and erosion of stakeholder trust**—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing **long-term financial and strategic repercussions** if the stolen data is weaponized.
Broadcom
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The **Cl0p ransomware gang** breached **Broadcom**, a $300+ billion semiconductor and infrastructure software leader, by exploiting an **unpatched zero-day vulnerability in Oracle E-Business Suite**. This ERP platform manages critical operations, including **supply chain, financial systems, and customer data**, making it a high-value target. The attackers likely **exfiltrated sensitive corporate data** (potentially including **intellectual property, manufacturing secrets, and customer information**) before deploying ransomware, following Cl0p’s typical double-extortion tactic. The breach risks **operational disruptions in global manufacturing**, **regulatory penalties for data exposure**, and **reputational damage** due to the involvement of a notorious ransomware group. The use of a **zero-day exploit** amplifies the threat, as other organizations using Oracle E-Business Suite may face similar attacks until a patch is released. Broadcom has not confirmed the incident, but the alleged compromise aligns with Cl0p’s pattern of targeting **high-value enterprises** via unpatched vulnerabilities in widely used software.
Broadcom
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: A critical security vulnerability has been discovered in Broadcom’s Symantec Endpoint Management Suite that enables unauthenticated remote code execution, posing significant risks to enterprise IT infrastructure. The flaw, designated CVE-2025-5333 with a severe CVSS v4.0 score of 9.5, affects multiple versions of the widely-deployed endpoint management solution and has prompted immediate mitigation recommendations from security experts. The vulnerability resides in the Symantec Altiris Inventory Rule Management (IRM) component, specifically targeting an exposed legacy .NET Remoting endpoint.
Broadcom (VMware)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Broadcom patched a **high-severity privilege escalation vulnerability (CVE-2025-41244)** in **VMware Aria Operations** and **VMware Tools**, actively exploited since **October 2024** by **UNC5174**, a **Chinese state-sponsored threat actor** linked to China’s Ministry of State Security (MSS). The flaw allows an **unprivileged local attacker** to escalate privileges to **root-level code execution** by staging a malicious binary in paths like `/tmp/httpd` and exploiting VMware’s service discovery mechanism. UNC5174, known for selling network access to **U.S. defense contractors, UK government entities, and Asian institutions**, previously exploited **CVE-2023-46747 (F5 BIG-IP)**, **CVE-2024-1709 (ConnectWise ScreenConnect)**, and **CVE-2025-31324 (SAP NetWeaver)**.The vulnerability poses a **critical risk** as it enables **full system compromise**, potentially allowing attackers to **move laterally across networks**, **steal sensitive data**, or **deploy additional malware**. While no **direct data breach or ransomware** was confirmed in this case, the exploitation by a **state-backed APT group** suggests **espionage or pre-positioning for future attacks**. Broadcom also patched **two other high-severity VMware NSX flaws** reported by the **NSA**, indicating a broader pattern of **targeted cyber operations** against enterprise infrastructure.
Symantec
Breach
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Security firm Symantec was attacked by a hacker back in February 2021 in which the hackers extracted some of the data. This comprises not only passwords but a list of Symantec clients -- including government agencies. The hacker was able to access a list of clients using Symantec's CloudSOC services, account managers and account numbers.
Symantec
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
Symantec Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Symantec
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Symantec in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Symantec in 2025.
Incident Types Symantec vs Software Development Industry Avg (This Year)
No incidents recorded for Symantec in 2025.
Incident History — Symantec (X = Date, Y = Severity)
Symantec cyber incidents detection timeline including parent company and subsidiaries
Symantec Company Subsidiaries
Your backstage pass to the most epic cybersecurity solutions on the market for Endpoint, Network, Data and Cloud security. Featuring worldwide (yet local-to-you) partner experts with the chops to deliver enterprise-grade security, whether you're a solo act or a supergroup. Be first in line to experience defense that goes to 11. Hit us up: https://engage.broadcom.com/ESG-contact-us
Loading...
Symantec Similar Companies
PayPal
We're championing possibilities for all by making money fast, easy, and more enjoyable. Our hope is unlock opportunities for people in their everyday lives and empower the millions of people and businesses around the world who trust, rely, and use PayPal every day. For support, visit the PayPal He
SS&C is a leading global provider of mission-critical, cloud-based software and solutions for the financial and healthcare industries. Named to the Fortune 1000 list as a top U.S. company based on revenue, SS&C (NASDAQ: SSNC) is a trusted provider to more than 20,000 financial services and healthcar
Alibaba Group
🌍Alibaba Group is on a mission to make it easy to do business anywhere! Guided by our passion and imagination, we’re leading the way in AI, cloud computing and e-commerce. We aim to build the future infrastructure of commerce, and we aspire to be a good company that lasts for 102 years.
Bosch Global Software Technologies
With our unique ability to offer end-to-end solutions that connect the three pillars of IoT - Sensors, Software, and Services, we enable businesses to move from the traditional to the digital, or improve businesses by introducing a digital element in their products and processes. Now more than ever
As a global leader in business cloud software specialized by industry. Infor develops complete solutions for its focus industries, including industrial manufacturing, distribution, healthcare, food & beverage, automotive, aerospace & defense, hospitality, and high tech. Infor’s mission-critical ente
GlobalLogic
GlobalLogic, a Hitachi Group company, is a trusted partner in design, data, and digital engineering for the world’s largest and most innovative companies. Since our inception in 2000, we have been at the forefront of the digital revolution, helping to create some of the most widely used digital prod
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
IDEMIA Group unlocks simpler and safer ways to pay, connect, access, identify, travel and protect public places. With its long-standing expertise in biometrics and cryptography, IDEMIA develops technologies of excellence with an impactful, ethical, and socially responsible approach. Every day, IDEMI
Siemens Digital Industries Software
We help organizations of all sizes digitally transform using software, hardware and services from the Siemens Xcelerator business platform. Our software and the comprehensive digital twin enable companies to optimize their design, engineering and manufacturing processes to turn today's ideas into th
.png)
Symantec CyberSecurity News
October 15, 2025 07:00 AM
Researchers report rare intrusion by suspected Chinese hackers into Russian tech firm
According to a new report by cybersecurity firm Symantec, the hackers gained access to the Russian company's software build and...
September 09, 2025 07:00 AM
AI at the Front Lines of Cybersecurity Defense
Symantec now leverages Google's Gemini 2.5 Flash series of models for agentic AI to automate threat analysis, activate internal tools and...
September 03, 2025 07:00 AM
Watching Kpop Demon Hunters With My Kid Was a Cybersecurity Masterclass
Netflix's animated hit has a lot to teach us about SOC teams, Zero Trust, and threat hunting (no, seriously)
July 18, 2025 07:00 AM
In Other News: Law Firm Hacked by China, Symantec Flaw, Meta AI Hack, FIDO Key Bypass
Powerful US law firm hacked by China, Symantec product flaw, $10000 Meta AI hack, cryptocurrency thieves bypassing FIDO keys.
June 26, 2025 07:00 AM
Symantec to Acquire Blue Coat and Define the Future of Cybersecurity
Symantec will acquire Blue Coat for approximately $4.651 billion in cash. The transaction has been approved by the Boards of Directors of both companies.
May 21, 2025 07:00 AM
Broadcom Named One of America’s Best Cybersecurity Companies 2025
Newsweek and Statista R recognized Broadcom as one of the top cybersecurity providers of the year in its inaugural list that “honors the...
May 18, 2025 05:34 AM
Broadcom Enterprise Security Group Upcoming Events
Your backstage pass to the most epic cybersecurity solutions on the market for Endpoint, Network, Data and Cloud security.
April 10, 2025 07:00 AM
Tainted drive appears to be source of malware attack on Western military mission in Ukraine
Researchers at Symantec said the Russia-linked group known as Gamaredon appears to have departed from its usual email phishing tactics in...
March 26, 2025 10:40 PM
Symantec acquires Luminate Security for cyber cloud defence
Symantec has acquired Israel-based Luminate Security to beef up its cyber defence capabilities when it comes to the cloud.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Symantec CyberSecurity History Information
Official Website of Symantec
The official website of Symantec is https://www.broadcom.com/products/cybersecurity.
Symantec’s AI-Generated Cybersecurity Score
According to Rankiteo, Symantec’s AI-generated cybersecurity score is 768, reflecting their Fair security posture.
How many security badges does Symantec’ have ?
According to Rankiteo, Symantec currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Symantec have SOC 2 Type 1 certification ?
According to Rankiteo, Symantec is not certified under SOC 2 Type 1.
Does Symantec have SOC 2 Type 2 certification ?
According to Rankiteo, Symantec does not hold a SOC 2 Type 2 certification.
Does Symantec comply with GDPR ?
According to Rankiteo, Symantec is not listed as GDPR compliant.
Does Symantec have PCI DSS certification ?
According to Rankiteo, Symantec does not currently maintain PCI DSS compliance.
Does Symantec comply with HIPAA ?
According to Rankiteo, Symantec is not compliant with HIPAA regulations.
Does Symantec have ISO 27001 certification ?
According to Rankiteo,Symantec is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Symantec
Symantec operates primarily in the Software Development industry.
Number of Employees at Symantec
Symantec employs approximately 11,988 people worldwide.
Subsidiaries Owned by Symantec
Symantec presently has no subsidiaries across any sectors.
Symantec’s LinkedIn Followers
Symantec’s official LinkedIn profile has approximately 442,786 followers.
NAICS Classification of Symantec
Symantec is classified under the NAICS code 5112, which corresponds to Software Publishers.
Symantec’s Presence on Crunchbase
No, Symantec does not have a profile on Crunchbase.
Symantec’s Presence on LinkedIn
Yes, Symantec maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/symantec.
Cybersecurity Incidents Involving Symantec
As of November 27, 2025, Rankiteo reports that Symantec has experienced 8 cybersecurity incidents.
Number of Peer and Competitor Companies
Symantec has an estimated 26,611 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Symantec ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Breach and Ransomware.
How does Symantec detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with block port 4011 on firewalls, containment measures with configure the irm_hostedserviceurl core setting with an empty value and restart the altiris inventory rule management service, and remediation measures with limit .net remoting access to localhost-only in upcoming releases, and incident response plan activated with yes (broadcom patch release), and third party assistance with nviso (vulnerability reporting and poc), third party assistance with google mandiant (threat actor analysis), and containment measures with patch release for cve-2025-41244, containment measures with previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), containment measures with nsx vulnerabilities patched (november 2024), and communication strategy with public disclosure via the register; adp issued a statement clarifying limited impact and no ransom payment, and network segmentation with recommended for organizations using oracle e-business suite, and enhanced monitoring with recommended: review security logs for unauthorized access, deploy edr solutions, and and third party assistance with mandiant (google-owned cybersecurity firm), and containment measures with oracle security patches (cve-2025-61882, cve-2025-21884), and remediation measures with patch application for oracle ebs vulnerabilities, and communication strategy with oracle security alerts to customers, communication strategy with public disclosure via media..
Incident Details
Can you provide details on each incident ?
Title: Symantec Data Breach
Description: Security firm Symantec was attacked by a hacker in February 2021, resulting in the extraction of data including passwords and a list of Symantec clients, including government agencies.
Date Detected: 2021-02-01
Type: Data Breach
Title: Symantec and Norton Vulnerabilities Identified by Tavis Ormandy
Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
Type: Vulnerability Exploit
Attack Vector: Executable File
Vulnerability Exploited: File Decompression in Kernel
Motivation: Data Theft
Title: Critical Security Vulnerability in Broadcom’s Symantec Endpoint Management Suite
Description: A critical security vulnerability (CVE-2025-5333) has been discovered in Broadcom’s Symantec Endpoint Management Suite that enables unauthenticated remote code execution, posing significant risks to enterprise IT infrastructure.
Date Detected: May 2025
Type: Vulnerability
Attack Vector: Unauthenticated Remote Code Execution (RCE)
Vulnerability Exploited: CVE-2025-5333
Title: Broadcom Patches High-Severity VMware Aria Operations and VMware Tools Privilege Escalation Vulnerability (CVE-2025-41244) Exploited by UNC5174
Description: Broadcom has patched a high-severity privilege escalation vulnerability (CVE-2025-41244) in its VMware Aria Operations and VMware Tools software, exploited in zero-day attacks since October 2024. The vulnerability allows unprivileged local attackers to escalate privileges to root-level code execution by staging a malicious binary in broadly-matched regex paths (e.g., /tmp/httpd). The attacks have been linked to the Chinese state-sponsored threat actor UNC5174, a contractor for China's Ministry of State Security (MSS). NVISO released a proof-of-concept exploit demonstrating the flaw's exploitation.
Date Detected: 2024-05-01
Date Publicly Disclosed: 2024-11-05
Type: Privilege Escalation
Attack Vector: LocalMalicious Binary StagingService Discovery Abuse
Vulnerability Exploited: CVE-2025-41244 (VMware Aria Operations and VMware Tools Privilege Escalation)
Threat Actor: UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS)
Motivation: EspionageFinancial Gain (selling network access)Cyber Warfare
Title: Ransomware Attack on Business Systems House (BSH) Leading to Broadcom Employee Data Theft
Description: A ransomware attack on Business Systems House (BSH), a Middle Eastern partner of payroll provider ADP, resulted in the theft of Broadcom employee data in September 2024. The data was leaked online in December 2024, but Broadcom was not informed until May 2025. The El Dorado ransomware group claimed responsibility. The breach occurred during Broadcom's transition away from ADP and BSH as payroll providers.
Date Detected: 2024-09
Date Publicly Disclosed: 2025-05
Type: ransomware
Attack Vector: third-party vendor (BSH, a regional partner of ADP)
Threat Actor: El Dorado ransomware group
Motivation: financial gaindata theft
Title: Broadcom Middle Eastern Employees' Data Breach via Third-Party Ransomware Attack
Description: U.S. multinational semiconductor manufacturing company Broadcom had its Middle Eastern employees' data stolen following a September ransomware attack against **Business Systems House (BSH)**, a partner of its former payroll services provider **ADP**. The breach, claimed by the **El Dorado ransomware gang** (linked to **BlackLock**), occurred during Broadcom's transition to another payroll provider. Compromised data may include employees' birthdates, email addresses, phone numbers, home addresses, national ID numbers, national health insurance ID numbers, health insurance policy numbers, financial account numbers, salary details, and employment termination dates. ADP stated the incident impacted only a 'small subset' of clients in some Middle Eastern countries and confirmed no ransom was paid by ADP or BSH (to their knowledge).
Type: data breach
Attack Vector: supply chain attackthird-party compromise (payroll provider partner)
Threat Actor: El Dorado ransomware gangBlackLock operation
Motivation: financial gain (ransomware)
Title: Cl0p Ransomware Gang Claims Breach of Broadcom via Zero-Day in Oracle E-Business Suite
Description: The Cl0p ransomware gang has publicly claimed responsibility for breaching Broadcom, a leading semiconductor and infrastructure software company. The attackers allegedly exploited an unpatched zero-day vulnerability in Oracle E-Business Suite to gain initial access. The incident follows a pattern of Cl0p targeting high-value enterprise systems using zero-day and known vulnerabilities. Broadcom has not issued an official statement, and the claim remains unverified by independent security researchers. The vulnerability allows arbitrary code execution, persistent access, and lateral movement across corporate networks. Cl0p is known for combining zero-day exploitation with credential theft and data exfiltration before deploying ransomware.
Type: ransomware
Attack Vector: zero-day vulnerability in Oracle E-Business Suitearbitrary code executionlateral movementcredential theftdata exfiltration
Vulnerability Exploited: Unpatched zero-day vulnerability in Oracle E-Business Suite (arbitrary code execution)
Threat Actor: Cl0p ransomware gang
Motivation: financial gain (ransomware)data theft for extortiondisruption of high-value enterprise targets
Title: Cl0p Exploits Zero-Day Vulnerabilities in Oracle E-Business Suite Leading to Massive Data Breaches
Description: The cybercriminal group Cl0p exploited two zero-day vulnerabilities (CVE-2025-61882 and CVE-2025-21884) in Oracle’s E-Business Suite (EBS), leading to data breaches in over 100 companies, including Broadcom, Estée Lauder, Mazda, and Canon. The group demanded significant ransom payments, threatening to leak or sell exfiltrated data if unpaid. Oracle issued security patches, but the attacks had already compromised sensitive corporate and customer data across multiple industries and geographies.
Date Detected: 2023-09-01
Date Publicly Disclosed: 2023-11-20
Type: Ransomware
Attack Vector: Zero-Day Exploit (CVE-2025-61882, CVE-2025-21884)Unauthenticated HTTP RequestsData Exfiltration
Threat Actor: Cl0p (Clop)
Motivation: Financial Gain (Ransomware Extortion)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Ransomware.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Executable File, Port 4011, Exploitation of CVE-2025-41244 (privilege escalation via /tmp/httpd)Previous exploits: CVE-2023-46747 (F5 BIG-IP), CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2025-31324 (NetWeaver Visual Composer), unpatched zero-day vulnerability in Oracle E-Business Suite, Zero-day vulnerabilities in Oracle EBS (CVE-2025-61882 and CVE-2025-21884).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach SYM1336271222
Data Compromised: Passwords, List of symantec clients, Government agencies, List of clients using symantec's cloudsoc services, Account managers, Account numbers
Incident : Vulnerability Exploit SYM44121823
Systems Affected: Symantec Enterprise Products
Incident : Vulnerability BRO809071525
Systems Affected: Symantec Endpoint Management Suite 8.6.x-8.8
Incident : Privilege Escalation BRO4592445093025
Systems Affected: VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode)
Operational Impact: Potential root-level code execution on vulnerable VMs, leading to full system compromise
Brand Reputation Impact: High (zero-day exploitation by state-sponsored actor, multiple high-profile vulnerabilities in 2024)
Incident : ransomware BRO3362533111725
Data Compromised: Broadcom employee data
Brand Reputation Impact: negative (ripples through tech and cybersecurity community)
Identity Theft Risk: potential (employee data exposed)
Incident : data breach BRO4981349111725
Data Compromised: Birthdates, Email addresses, Phone numbers, Home addresses, National id numbers, National health insurance id numbers, Health insurance policy numbers, Financial account numbers, Salary details, Employment termination dates
Brand Reputation Impact: potential reputational harm due to sensitive employee data exposure
Identity Theft Risk: high (due to exposure of PII and financial data)
Payment Information Risk: high (financial account numbers compromised)
Incident : ransomware BRO0893008112125
Systems Affected: Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data
Operational Impact: potential disruption of manufacturing operationssupply chain interruptionsglobal infrastructure risks
Brand Reputation Impact: high (targeting a $300B+ company)potential loss of trust in supply chain security
Legal Liabilities: potential regulatory compliance violations (e.g., data protection laws)
Incident : Ransomware BRO3105131112625
Systems Affected: Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14
Operational Impact: Significant (data exfiltration, potential system compromise)
Brand Reputation Impact: High (public disclosure of breaches, ransom demands)
Identity Theft Risk: High (PII and sensitive corporate data exfiltrated)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Passwords, List Of Symantec Clients, Government Agencies, List Of Clients Using Symantec'S Cloudsoc Services, Account Managers, Account Numbers, , Employee Data, , Personally Identifiable Information (Pii), Financial Data, Employment Records, Health Insurance Details, , Potential: Corporate Data (Supply Chain, Financial, Customer), Intellectual Property (Research Data), , Corporate Data, Customer Data, Sensitive Business Information and .
Which entities were affected by each incident ?
Incident : Data Breach SYM1336271222
Entity Name: Symantec
Entity Type: Security Firm
Industry: Cybersecurity
Incident : Vulnerability Exploit SYM44121823
Entity Name: Symantec
Entity Type: Company
Industry: Cybersecurity
Incident : Vulnerability BRO809071525
Entity Name: Broadcom
Entity Type: Organization
Industry: Technology
Incident : Privilege Escalation BRO4592445093025
Entity Name: Broadcom (VMware)
Entity Type: Technology Corporation
Industry: Software/Cloud Infrastructure
Location: United States (Global Operations)
Size: Large Enterprise
Incident : Privilege Escalation BRO4592445093025
Entity Name: U.S. Defense Contractors (via UNC5174 access sales)
Entity Type: Private/Government Contractors
Industry: Defense
Location: United States
Incident : Privilege Escalation BRO4592445093025
Entity Name: UK Government Entities (via UNC5174 access sales)
Entity Type: Government
Industry: Public Sector
Location: United Kingdom
Incident : Privilege Escalation BRO4592445093025
Entity Name: Asian Institutions (via UNC5174 access sales)
Entity Type: Government/Private
Industry: Multiple Sectors
Location: Asia
Incident : Privilege Escalation BRO4592445093025
Entity Name: U.S. and Canadian Institutions (via CVE-2024-1709 exploitation)
Entity Type: Multiple
Industry: Multiple Sectors
Location: United States, Canada
Customers Affected: Hundreds (per February 2024 attacks)
Incident : ransomware BRO3362533111725
Entity Name: Broadcom Inc.
Entity Type: multinational corporation
Industry: semiconductor, infrastructure software
Location: global (HQ in San Jose, California, USA)
Incident : ransomware BRO3362533111725
Entity Name: Business Systems House (BSH)
Entity Type: regional payroll service provider
Industry: payroll services
Location: Middle East
Customers Affected: Broadcom employees (data compromised)
Incident : ransomware BRO3362533111725
Entity Name: ADP (Automatic Data Processing)
Entity Type: payroll services giant
Industry: HR and payroll services
Location: global (HQ in Roseland, New Jersey, USA)
Incident : data breach BRO4981349111725
Entity Name: Broadcom Inc.
Entity Type: public company
Industry: semiconductor manufacturing
Location: United States (global operations, breach impacted Middle Eastern employees)
Size: large (multinational)
Incident : data breach BRO4981349111725
Entity Name: Business Systems House (BSH)
Entity Type: private company (ADP partner)
Industry: payroll services
Location: Middle East
Customers Affected: small subset of clients (including Broadcom)
Incident : data breach BRO4981349111725
Entity Name: ADP (Automatic Data Processing)
Entity Type: public company
Industry: payroll and HR services
Location: United States (global operations)
Size: large
Customers Affected: small subset of Middle Eastern clients
Incident : ransomware BRO0893008112125
Entity Name: Broadcom Inc.
Entity Type: public company
Industry: semiconductor manufacturing, infrastructure software
Location: global (HQ: San Jose, California, USA)
Size: $300+ billion market cap
Incident : Ransomware BRO3105131112625
Entity Name: Oracle
Entity Type: Corporation
Industry: Technology (Enterprise Software)
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Broadcom
Entity Type: Corporation
Industry: Semiconductors/Technology
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Estée Lauder Companies
Entity Type: Corporation
Industry: Cosmetics/Retail
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Mazda
Entity Type: Corporation
Industry: Automotive
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Canon
Entity Type: Corporation
Industry: Technology/Imaging
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Michelin
Entity Type: Corporation
Industry: Automotive/Tires
Location: France
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Humana
Entity Type: Corporation
Industry: Healthcare/Insurance
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Fruit of the Loom
Entity Type: Corporation
Industry: Apparel
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Abbott Laboratories
Entity Type: Corporation
Industry: Healthcare/Pharmaceuticals
Location: United States
Size: Large (Fortune 500)
Incident : Ransomware BRO3105131112625
Entity Name: Grupo Bimbo
Entity Type: Corporation
Industry: Food/Baking
Location: Mexico
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: A10 Networks
Entity Type: Corporation
Industry: Technology/Networking
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Envoy
Entity Type: Corporation
Industry: Technology/Workplace Solutions
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Greater Cleveland RTA
Entity Type: Government Agency
Industry: Transportation
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Frontrol
Entity Type: Corporation
Industry: Technology/Security
Incident : Ransomware BRO3105131112625
Entity Name: MAS Holdings
Entity Type: Corporation
Industry: Apparel/Manufacturing
Location: Sri Lanka
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Trane Technologies
Entity Type: Corporation
Industry: HVAC/Manufacturing
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Treet Corp
Entity Type: Corporation
Industry: Manufacturing
Incident : Ransomware BRO3105131112625
Entity Name: University of Phoenix
Entity Type: Educational Institution
Industry: Education
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: L&L Products
Entity Type: Corporation
Industry: Automotive/Manufacturing
Location: United States
Size: Mid-Large
Incident : Ransomware BRO3105131112625
Entity Name: Worley
Entity Type: Corporation
Industry: Engineering/Consulting
Location: Australia
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Fleet Management Limited
Entity Type: Corporation
Industry: Logistics/Transportation
Incident : Ransomware BRO3105131112625
Entity Name: Alshaya Group
Entity Type: Corporation
Industry: Retail/Hospitality
Location: Kuwait
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Bechtel Corporation
Entity Type: Corporation
Industry: Construction/Engineering
Location: United States
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: WellBiz Brands, Inc.
Entity Type: Corporation
Industry: Retail/Wellness
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Dooney & Bourke
Entity Type: Corporation
Industry: Luxury Accessories
Location: United States
Size: Mid
Incident : Ransomware BRO3105131112625
Entity Name: Greenball
Entity Type: Corporation
Industry: Manufacturing
Incident : Ransomware BRO3105131112625
Entity Name: Sumitomo Chemical
Entity Type: Corporation
Industry: Chemicals
Location: Japan
Size: Large
Incident : Ransomware BRO3105131112625
Entity Name: Aljomaih Automotive Company (AAC)
Entity Type: Corporation
Industry: Automotive
Location: Saudi Arabia
Size: Large
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Vulnerability BRO809071525
Containment Measures: Block port 4011 on firewallsConfigure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service
Remediation Measures: Limit .NET Remoting access to localhost-only in upcoming releases
Incident : Privilege Escalation BRO4592445093025
Incident Response Plan Activated: Yes (Broadcom patch release)
Third Party Assistance: Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis).
Containment Measures: Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024)
Incident : data breach BRO4981349111725
Communication Strategy: public disclosure via The Register; ADP issued a statement clarifying limited impact and no ransom payment
Incident : ransomware BRO0893008112125
Network Segmentation: ['recommended for organizations using Oracle E-Business Suite']
Enhanced Monitoring: recommended: review security logs for unauthorized access, deploy EDR solutions
Incident : Ransomware BRO3105131112625
Incident Response Plan Activated: True
Third Party Assistance: Mandiant (Google-Owned Cybersecurity Firm).
Containment Measures: Oracle security patches (CVE-2025-61882, CVE-2025-21884)
Remediation Measures: Patch application for Oracle EBS vulnerabilities
Communication Strategy: Oracle security alerts to customersPublic disclosure via media
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Broadcom patch release), .
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through NVISO (vulnerability reporting and PoC), Google Mandiant (threat actor analysis), , Mandiant (Google-owned cybersecurity firm), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SYM1336271222
Type of Data Compromised: Passwords, List of symantec clients, Government agencies, List of clients using symantec's cloudsoc services, Account managers, Account numbers
Incident : ransomware BRO3362533111725
Type of Data Compromised: Employee data
Sensitivity of Data: high (employee records)
Data Exfiltration: yes (leaked online in December 2024)
Personally Identifiable Information: likely (employee data)
Incident : data breach BRO4981349111725
Type of Data Compromised: Personally identifiable information (pii), Financial data, Employment records, Health insurance details
Sensitivity of Data: high (includes national IDs, financial accounts, and health insurance details)
Incident : ransomware BRO0893008112125
Type of Data Compromised: Potential: corporate data (supply chain, financial, customer), Intellectual property (research data)
Sensitivity of Data: high (enterprise resource planning data)potentially confidential (manufacturing, R&D)
Data Exfiltration: claimed by Cl0p (typical tactic before ransomware deployment)
Incident : Ransomware BRO3105131112625
Type of Data Compromised: Corporate data, Customer data, Sensitive business information
Sensitivity of Data: High
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Limit .NET Remoting access to localhost-only in upcoming releases, , Patch application for Oracle EBS vulnerabilities, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by block port 4011 on firewalls, configure the irm_hostedserviceurl core setting with an empty value and restart the altiris inventory rule management service, , patch release for cve-2025-41244, previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), nsx vulnerabilities patched (november 2024), , oracle security patches (cve-2025-61882, cve-2025-21884) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : data breach BRO4981349111725
Ransomware Strain: El Dorado (linked to BlackLock)
Data Exfiltration: True
Incident : ransomware BRO0893008112125
Ransomware Strain: Cl0p
Data Encryption: ['likely (standard Cl0p tactic post-exfiltration)']
Data Exfiltration: ['claimed (pre-ransomware deployment)']
Incident : Ransomware BRO3105131112625
Ransom Demanded: True
Ransomware Strain: Cl0p (Clop)
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Privilege Escalation BRO4592445093025
Lessons Learned: 1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.
Incident : ransomware BRO0893008112125
Lessons Learned: Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time., High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact., Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks., Supply chain and ERP systems are attractive targets due to their central role in business operations.
Incident : Ransomware BRO3105131112625
Lessons Learned: Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
What recommendations were made to prevent future incidents ?
Incident : Vulnerability BRO809071525
Recommendations: Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releasesBlock port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releasesBlock port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releases
Incident : Privilege Escalation BRO4592445093025
Recommendations: Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors.
Incident : ransomware BRO0893008112125
Recommendations: Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Implement network segmentation to limit lateral movement in case of breach., Deploy endpoint detection and response (EDR) solutions for early threat detection., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Prepare incident response plans specifically for ransomware and zero-day scenarios.
Incident : Ransomware BRO3105131112625
Recommendations: Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Conduct regular audits of enterprise software for zero-day vulnerabilities., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Evaluate the need for network segmentation to limit lateral movement in case of breaches.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are 1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time.,High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact.,Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks.,Supply chain and ERP systems are attractive targets due to their central role in business operations.Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
References
Where can I find more information about each incident ?
Incident : Vulnerability BRO809071525
Source: Broadcom PSIRT
Incident : Vulnerability BRO809071525
Source: LRQA security researchers
Incident : Privilege Escalation BRO4592445093025
Source: NVISO Research (Maxime Thiebaut)
Date Accessed: 2024-11-04
Incident : Privilege Escalation BRO4592445093025
Source: Google Mandiant (UNC5174 Analysis)
Incident : Privilege Escalation BRO4592445093025
Source: Broadcom Security Advisory for CVE-2025-41244
Date Accessed: 2024-11-05
Incident : Privilege Escalation BRO4592445093025
Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024)
Incident : ransomware BRO3362533111725
Source: The Register
Incident : data breach BRO4981349111725
Source: The Register
Incident : ransomware BRO0893008112125
Source: GBHackers (GBH)
Incident : Ransomware BRO3105131112625
Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Incident : Ransomware BRO3105131112625
Source: UK National Cyber Security Centre (NCSC)
Incident : Ransomware BRO3105131112625
Source: Mandiant (Google-owned cybersecurity firm)
Incident : Ransomware BRO3105131112625
Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884)
Incident : Ransomware BRO3105131112625
Source: Z2Data Supplier Risk Analysis
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Broadcom PSIRT, and Source: LRQA security researchers, and Source: BleepingComputerDate Accessed: 2024-11-05, and Source: NVISO Research (Maxime Thiebaut)Date Accessed: 2024-11-04, and Source: Google Mandiant (UNC5174 Analysis), and Source: Broadcom Security Advisory for CVE-2025-41244Date Accessed: 2024-11-05, and Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024), and Source: The Register, and Source: The Register, and Source: GBHackers (GBH), and Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Source: UK National Cyber Security Centre (NCSC), and Source: Mandiant (Google-owned cybersecurity firm), and Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), and Source: Z2Data Supplier Risk AnalysisUrl: https://www.z2data.com.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Privilege Escalation BRO4592445093025
Investigation Status: Ongoing (patch released; threat actor activity under monitoring)
Incident : ransomware BRO3362533111725
Investigation Status: disclosed (May 2025)
Incident : data breach BRO4981349111725
Investigation Status: ongoing (limited details disclosed)
Incident : ransomware BRO0893008112125
Investigation Status: unverified (claimed by Cl0p, no official statement from Broadcom; independent verification pending)
Incident : Ransomware BRO3105131112625
Investigation Status: Ongoing (Cl0p’s data leak timeline suggests delayed public exposure)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through public disclosure via The Register; ADP issued a statement clarifying limited impact and no ransom payment, Oracle Security Alerts To Customers and Public Disclosure Via Media.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Privilege Escalation BRO4592445093025
Customer Advisories: Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article.
Incident : Ransomware BRO3105131112625
Stakeholder Advisories: Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi.
Customer Advisories: Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article., Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi, Companies Advised To Monitor For Data Leaks On Cl0P’S Blog Or Dark Web Marketplaces and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Vulnerability Exploit SYM44121823
Entry Point: Executable File
Incident : Vulnerability BRO809071525
Entry Point: Port 4011
Incident : Privilege Escalation BRO4592445093025
Entry Point: Exploitation Of Cve-2025-41244 (Privilege Escalation Via /Tmp/Httpd), Previous Exploits: Cve-2023-46747 (F5 Big-Ip), Cve-2024-1709 (Connectwise Screenconnect), Cve-2025-31324 (Netweaver Visual Composer),
Backdoors Established: Likely (based on UNC5174's history of selling network access)
High Value Targets: U.S. Defense Contractors, Uk Government Entities, Asian Institutions, Critical Infrastructure (Uk/Us Via Sap Netweaver Attacks),
Data Sold on Dark Web: U.S. Defense Contractors, Uk Government Entities, Asian Institutions, Critical Infrastructure (Uk/Us Via Sap Netweaver Attacks),
Incident : ransomware BRO3362533111725
High Value Targets: Broadcom Employee Data,
Data Sold on Dark Web: Broadcom Employee Data,
Incident : data breach BRO4981349111725
High Value Targets: employee PII and financial data
Data Sold on Dark Web: employee PII and financial data
Incident : ransomware BRO0893008112125
Entry Point: unpatched zero-day vulnerability in Oracle E-Business Suite
Backdoors Established: ['likely (Cl0p tactic for persistence)']
High Value Targets: Broadcom'S Manufacturing Operations, Research Data, Customer Information, Supply Chain Systems,
Data Sold on Dark Web: Broadcom'S Manufacturing Operations, Research Data, Customer Information, Supply Chain Systems,
Incident : Ransomware BRO3105131112625
Entry Point: Zero-Day Vulnerabilities In Oracle Ebs (Cve-2025-61882, Cve-2025-21884),
Reconnaissance Period: Since late September 2023 (pre-exploitation activity)
High Value Targets: Fortune 500 Companies (E.G., Broadcom, Estée Lauder), Multinational Corporations With Oracle Ebs Dependencies,
Data Sold on Dark Web: Fortune 500 Companies (E.G., Broadcom, Estée Lauder), Multinational Corporations With Oracle Ebs Dependencies,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Vulnerability BRO809071525
Root Causes: Insecure deserialization of .NET objects through the BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full
Corrective Actions: Block Port 4011 On Firewalls, Configure The Irm Hostedserviceurl Core Setting With An Empty Value And Restart The Altiris Inventory Rule Management Service, Limit .Net Remoting Access To Localhost-Only In Upcoming Releases,
Incident : Privilege Escalation BRO4592445093025
Root Causes: Privilege Escalation Vulnerability In Vmware Service Discovery Mechanism (Broad Regex Path Matching)., Insufficient Validation Of Unprivileged User Processes Opening Listening Sockets., Delayed Public Disclosure Of In-The-Wild Exploitation (Attacks Began In October 2024; Patch/Report In November 2024)., Reuse Of Exploit Techniques Across Multiple Vulnerabilities (E.G., Cve-2023-46747, Cve-2024-1709) By Unc5174.,
Corrective Actions: Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software.,
Incident : ransomware BRO3362533111725
Root Causes: Third-Party Vendor Vulnerability (Bsh), Supply Chain Risk During Transition Period,
Incident : data breach BRO4981349111725
Root Causes: Third-Party Vulnerability (Bsh Compromise), Supply Chain Risk During Payroll Provider Transition,
Incident : ransomware BRO0893008112125
Root Causes: Use Of Unpatched Enterprise Software (Oracle E-Business Suite) With Zero-Day Vulnerability., Potential Lack Of Network Segmentation Allowing Lateral Movement., Targeting By A Sophisticated Threat Actor (Cl0P) With A History Of Exploiting Zero-Days.,
Incident : Ransomware BRO3105131112625
Root Causes: Unpatched Zero-Day Vulnerabilities In Oracle Ebs (Cve-2025-61882, Cve-2025-21884)., Lack Of Real-Time Monitoring For Unauthenticated Http Requests Targeting Critical Components (Bi Publisher, Configurator Ui)., Supplier Risk Blind Spots In Enterprise Software Supply Chains.,
Corrective Actions: Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis), , Recommended: Review Security Logs For Unauthorized Access, Deploy Edr Solutions, , Mandiant (Google-Owned Cybersecurity Firm), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Block Port 4011 On Firewalls, Configure The Irm Hostedserviceurl Core Setting With An Empty Value And Restart The Altiris Inventory Rule Management Service, Limit .Net Remoting Access To Localhost-Only In Upcoming Releases, , Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software., , Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities., .
Additional Questions
General Information
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was True.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS), El Dorado ransomware group, El Dorado ransomware gangBlackLock operation, Cl0p ransomware gang and Cl0p (Clop).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2021-02-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-11-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers, account numbers, , Broadcom employee data, , birthdates, email addresses, phone numbers, home addresses, national ID numbers, national health insurance ID numbers, health insurance policy numbers, financial account numbers, salary details, employment termination dates, and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Symantec Enterprise Products and Symantec Endpoint Management Suite 8.6.x-8.8 and VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode) and Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data and Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was nviso (vulnerability reporting and poc), google mandiant (threat actor analysis), , mandiant (google-owned cybersecurity firm), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Block port 4011 on firewallsConfigure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024), Oracle security patches (CVE-2025-61882 and CVE-2025-21884).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were salary details, account numbers, Broadcom employee data, account managers, email addresses, financial account numbers, employment termination dates, government agencies, list of Symantec clients, national health insurance ID numbers, national ID numbers, health insurance policy numbers, home addresses, phone numbers, list of clients using Symantec's CloudSOC services, birthdates and passwords.
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was True.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Supply chain and ERP systems are attractive targets due to their central role in business operations., Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Block port 4011 on firewalls, Implement network segmentation to limit lateral movement in case of breach., Prepare incident response plans specifically for ransomware and zero-day scenarios., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors., Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Apply security patches for Oracle E-Business Suite as soon as they are released., Limit .NET Remoting access to localhost-only in upcoming releases, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Deploy endpoint detection and response (EDR) solutions for early threat detection., Conduct regular audits of enterprise software for zero-day vulnerabilities. and Evaluate the need for network segmentation to limit lateral movement in case of breaches..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Mandiant (Google-owned cybersecurity firm), LRQA security researchers, UK National Cyber Security Centre (NCSC), Z2Data Supplier Risk Analysis, NVISO Research (Maxime Thiebaut), Microsoft Threat Intelligence (VMware Zero-Days, March 2024), The Register, GBHackers (GBH), Broadcom Security Advisory for CVE-2025-41244, Broadcom PSIRT, U.S. Cybersecurity and Infrastructure Security Agency (CISA), Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), BleepingComputer and Google Mandiant (UNC5174 Analysis).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.z2data.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (patch released; threat actor activity under monitoring).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Oracle security alerts urging immediate patching, Mandiant’s analysis of Cl0p’s modus operandi, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article. and Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Port 4011, Executable File and unpatched zero-day vulnerability in Oracle E-Business Suite.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Since late September 2023 (pre-exploitation activity).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insecure deserialization of .NET objects through the BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, Privilege escalation vulnerability in VMware service discovery mechanism (broad regex path matching).Insufficient validation of unprivileged user processes opening listening sockets.Delayed public disclosure of in-the-wild exploitation (attacks began in October 2024; patch/report in November 2024).Reuse of exploit techniques across multiple vulnerabilities (e.g., CVE-2023-46747, CVE-2024-1709) by UNC5174., third-party vendor vulnerability (BSH)supply chain risk during transition period, third-party vulnerability (BSH compromise)supply chain risk during payroll provider transition, Use of unpatched enterprise software (Oracle E-Business Suite) with zero-day vulnerability.Potential lack of network segmentation allowing lateral movement.Targeting by a sophisticated threat actor (Cl0p) with a history of exploiting zero-days., Unpatched zero-day vulnerabilities in Oracle EBS (CVE-2025-61882, CVE-2025-21884).Lack of real-time monitoring for unauthenticated HTTP requests targeting critical components (BI Publisher, Configurator UI).Supplier risk blind spots in enterprise software supply chains..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Block port 4011 on firewallsConfigure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management ServiceLimit .NET Remoting access to localhost-only in upcoming releases, Broadcom released patches for CVE-2025-41244 and related VMware NSX vulnerabilities.NVISO published PoC to aid detection and mitigation.Organizations advised to audit VMware environments for signs of exploitation (e.g., suspicious /tmp/httpd binaries).Enhanced monitoring for UNC5174 TTPs (tactics, techniques, procedures) across enterprise software., Immediate application of Oracle-provided security patches.Enhanced supplier risk assessments using SCRM platforms (e.g., Z2Data).Implementation of behavioral WAFs or anomaly detection for Oracle EBS environments.Review of third-party software dependencies for similar vulnerabilities..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=symantec' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
