A major exploitation campaign targeting Oracle’s E-Business Suite has pulled Broadcom into the spotlight, after threat groups leveraged a critical zero-day vulnerability to gain access to enterprise financial environments. While Broadcom maintains that its core operations remain unaffected, new intelligence from multiple research teams suggests the campaign was broader, longer, and more coordinated than initially understood.
A Critical Oracle Zero-Day at the Center of the Intrusion
The breach stems from CVE-2025-61882, a high-severity vulnerability (CVSS 9.8) in Oracle’s E-Business Suite, specifically within the Business Intelligence Publisher integration used for financial processing. The flaw allowed attackers to execute code without authentication, giving them deep access to ERP systems.
Threat intelligence reports from Google’s TAG and Mandiant indicate that reconnaissance activity began as early as July 10, 2025, with active exploitation starting around August 9, well before Oracle released emergency patches in October 2024. Organizations running older deployments or delaying maintenance cycles were disproportionately exposed.
This is significant because many enterprises still rely on legacy Oracle E-Business Suite implementations that require downtime to update, creating a persistent patching gap across global financial and supply-chain environments.
Cl0p Claims Responsibility, Expands Extortion Attempts
The ransomware group Cl0p has claimed responsibility through posts on its data-leak site. The group, known for high-impact supply-chain campaigns, reportedly used the Oracle zero-day in combination with other previously patched vulnerabilities to escalate access across networks.
Researchers say at least 29 organizations worldwide were affected across sectors including telecom, manufacturing, and financial services.
To make extortion attempts more convincing, attackers used compromised third-party email accounts purchased through infostealer markets. This allowed them to bypass spam filters and send messages that appeared to originate from internal corporate addresses.
Broadcom Responds, Downplays Operational Impact
Broadcom confirmed that attackers exploited Oracle zero-days but emphasized that its core operations and financial systems remain intact.
The company stated that its Oracle environment had already undergone forensic review and patching, and that any exposed information does not appear to pose significant risk to partners, employees, or vendors.
However, researchers caution that ERP environments often store sensitive artifacts such as transaction histories, contract documents, and supply-chain design files. If accessed, these materials could have downstream implications for large technology ecosystems connected to Broadcom.
A Broader Warning for Enterprises Using Legacy ERP Systems
Security teams monitoring the campaign highlight a recurring pattern:
Breaches are being enabled not by sophisticated malware, but by delayed patch cycles and integration-layer blind spots, especially in older Oracle E-Business architectures.
Researchers recommend immediate action for all organizations using similar systems:
Patch all instances of Oracle E-Business Suite, including older modules.
Monitor for suspicious POST requests to /OA_HTML/SyncServlet, a common exploitation path.
Review access logs for lateral movement, especially authentication anomalies.
Harden BI Publisher and other integration points, which often remain misconfigured.
The Takeaway
The Broadcom incident underscores a larger challenge for enterprises still relying on legacy ERP foundations: security risks now originate as much from operational inertia as from advanced threat actors. As attackers increasingly weaponize enterprise software vulnerabilities, patch hygiene and architectural modernization will become central to resilience.
