Cl0p Ransomware Strikes Broadcom: Zero-Day in Oracle E-Business Suite Exposes Semiconductor Crown Jewel

Between November 19 and November 21, Cl0p added more than twenty major organizations to its dark-web leak site in a coordinated exploitation wave targeting a previously unknown zero-day vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882. The flaw, a remote code execution vulnerability in the iProcurement and iSupplier Portal modules, requires no authentication when certain legacy web services remain internet-exposed, a configuration researchers say is still present in thousands of large enterprises worldwide.

A Perfect Storm: Legacy ERP Meets Modern Extortion

Broadcom, formed through a string of multi-billion-dollar acquisitions including VMware, Symantec, CA Technologies, and Avago, relies on a complex, decades-old Oracle E-Business Suite deployment for portions of its global procurement, supplier management, and financial reporting. Despite the company’s cutting-edge position in chip design and cloud infrastructure, these back-office systems had apparently not been fully retired or placed behind zero-trust boundaries.

Cl0p’s announcement yesterday included detailed screenshots of Broadcom’s internal file shares, VMware source-code repositories, Symantec endpoint protection engineering documents, customer master-licensing agreements for Fortune 100 clients, next-generation 3nm and 2nm foundry blueprints, and internal projections for the highly anticipated “Broadcom Trident 6” and “Tomahawk 6” switch silicon families.

Independent researchers who analyzed the posted samples confirmed their authenticity through cryptographic hashes matching known Broadcom build artifacts and digital signatures embedded in VMware and Symantec binaries.

Scale and Speed Unprecedented

The speed of the campaign has stunned the cybersecurity community. In under 72 hours, Cl0p published evidence of compromise against:

• Broadcom Inc. (United States)
• Emerson Electric Co. (United States)
• LG Energy Solution (South Korea / global facilities)
• Tulane University (United States)
• Hydroscand Group (Sweden)
• Multiple regional electric utilities and industrial manufacturers

All victims appear to have been compromised through the same Oracle E-Business Suite zero-day, suggesting the actors either discovered the flaw independently or acquired it on an exclusive basis before weaponizing it at scale.

Why Broadcom Matters More Than the Others

While every victim in this campaign is significant, a successful breach at Broadcom carries strategic weight far beyond typical ransomware targets:

• Critical Infrastructure Dependency: Broadcom silicon powers the majority of global telecommunications switching, hyperscale data center networking, and storage controllers.
• Defense and Intelligence Exposure: Multiple Broadcom ASICs are embedded in classified U.S. and allied military systems.
• Apple Supply Chain: Broadcom remains one of Apple’s largest suppliers for RF components and Wi-Fi/Bluetooth SoCs.
• VMware Dominance: Any compromise of VMware hypervisor source code could enable persistent virtualization-level threats for years.

A single exposed private key, backdoor, or design flaw introduced through this incident could give nation-state actors or competitors a decade-long advantage.

Technical Breakdown of CVE-2025-61882

The vulnerability resides in the Oracle E-Business Suite Internet Expenses and iSupplier modules when the “External Web Services” feature is enabled, a configuration common in versions 12.1.x and 12.2.x prior to the forthcoming emergency patch. Successful exploitation grants unauthenticated attackers the ability to upload and execute arbitrary JSP webshells, leading to full domain compromise in environments with overly permissive trust relationships between the DMZ and internal networks.

Oracle has acknowledged the flaw and is preparing an out-of-band Critical Patch Update expected within 48 hours, but many organizations, including those running highly customized instances, will require weeks of regression testing before deployment.

Market Reaction and Broader Implications

Broadcom shares opened down 6.2% in pre-market trading on November 21, wiping out roughly $38 billion in market capitalization within hours of Cl0p’s announcement. Analysts cited not only potential ransom and remediation costs but also the risk of customer churn in VMware and Symantec enterprise contracts if source code is publicly leaked.

The incident has reignited calls for mandatory cybersecurity standards in the semiconductor supply chain and accelerated discussions around U.S. and EU legislation requiring faster phase-out of end-of-support enterprise software in critical sectors.

What Happens Next

Cl0p has given Broadcom until November 28 to initiate negotiations, after which the group has threatened staged releases beginning with VMware source code and customer licensing data. Law enforcement agencies in the United States and Europe are reportedly coordinating with Oracle and affected organizations to disrupt the ongoing campaign.

For now, the cybersecurity world is watching one of its most valuable companies navigate an extortion crisis that began with a single unpatched legacy application, proving once again that in 2025, even the most advanced technology giants remain only as strong as their oldest, most overlooked systems.