Broadcom Reportedly Hit By Clop Ransomware Through Oracle E-Business Suite Zero-Day Vulnerability

The Cl0p ransomware group claimed responsibility for breaching Broadcom, a major semiconductor firm, by exploiting a zero-day flaw in Oracle E-Business Suite.

This incident fits into Cl0p’s broad campaign targeting enterprise systems since August 2025. Broadcom confirmed targeting but stated it patched the vulnerability after forensic review.​

Security analysts noted the attack around November 20, 2025, with Cl0p listing Broadcom on its data leak site.

Hackmanac issued an early alert based on clear and dark web sources, flagging cybercrime risks to the manufacturing sector.

The breach remains pending independent verification as Broadcom handles internal remediation.

Technical Breakdown

Cl0p actors used CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite’s Concurrent Processing component.

Attackers sent POST requests to /OA_HTML/SyncServlet, then leveraged XDO Template Manager to inject malicious templates into the EBS database.

A final Template Preview request triggered the payload, granting complete system control.

Exploitation began as a zero-day vulnerability weeks before Oracle’s October 2025 patches, allowing data exfiltration from the supply chain and financial systems.

Cl0p combined this with tools such as the in-memory Java loader, GOLDVEIN.JAVA, for persistence and lateral movement.

Organizations began receiving extortion emails from compromised third-party accounts on September 29, 2025.

CVE ID	Affected Product	CVSS Score	Impact	Exploit Prerequisites
CVE-2025-61882 ​	Oracle E-Business Suite (Concurrent Processing)	9.8	Unauthenticated RCE, data exfiltration	Network access to EBS; no authentication needed
CVE-2025-61884 ​	Oracle E-Business Suite	9.1	Unauthenticated data access	Network access; often chained with CVE-2025-61882

Broadcom uses Oracle EBS for internal financial operations, making it a prime target in Cl0p’s campaign, which has hit over 29 firms.

The group, linked to FIN11, favors double extortion via data theft before encryption. Immediate actions include patching, monitoring SyncServlet traffic, and segmenting EBS environments.​

Experts urge EBS users to scan logs for suspicious template creation and deploy endpoint detection.

This attack highlights the risks posed by unpatched ERP systems across the manufacturing industry. Oracle’s alerts confirm remote exploitability without user interaction.