The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom’s internal systems as part of an ongoing exploitation campaign targeting Oracle E-Business Suite vulnerabilities.
The hack uses a critical zero-day vulnerability (CVE-2025-61882) rated 9.8 on the CVSS scale, allowing attackers to execute arbitrary code without authentication.
Broadcom, a major semiconductor and infrastructure software provider, becomes the latest high-profile victim in a massive extortion campaign that began in late September 2025.
Zero-Day Flaw Enables Unauthorized Access
The threat actors claim to have accessed internal enterprise resource planning (ERP) archives, design documentation, and sensitive semiconductor records.
Given Broadcom’s influence across telecommunications, data centers, and AI accelerator manufacturing. The potential exposure of internal documentation raises concerns for supply chain integrity and partner ecosystems.
Security researchers from Google Threat Intelligence Group and Mandiant traced the underlying breach activity back to July 10, 2025, with confirmed exploitation beginning August 9, 2025, weeks before Oracle released patches.
The Cl0p group gathered information and moved through victim networks before starting a coordinated email blackmail campaign in September, hitting executives at many companies at the same time.
The attack exploited Oracle E-Business Suite’s Business Intelligence Publisher integration within the Concurrent Processing component, granting attackers complete system control.
Cl0p supplemented the zero-day with additional previously patched vulnerabilities to maximize its foothold across enterprise networks.
The broader campaign has reportedly compromised at least 29 organizations, according to recent postings on the Cl0p data-leak site.
The attackers used hacked third-party email accounts purchased from infostealer markets to bypass spam filters and make their extortion emails appear more believable.
Oracle released emergency patches in October 2024, though organizations running older E-Business Suite versions remain vulnerable if patches haven’t been applied.
Security experts recommend immediate patching and enhanced monitoring for suspicious POST requests to the/OA_HTML/SyncServlet endpoints, which are high-fidelity compromise indicators.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
