The Cl0p ransomware group has transitioned into the mass-extortion phase of its latest campaign, targeting a zero-day vulnerability in Oracle E-Business Suite (EBS). Broadcom has emerged as the most significant victim, with over 2TB of sensitive archives now leaking online.
The Zero-Day Vector: CVE-2026-2188
The attack leverages a previously unknown pre-authentication Remote Code Execution (RCE) vulnerability in the **Oracle EBS framework**. By sending a malformed request to the `/OA_HTML/` endpoint, attackers can bypass the login gate and execute shell commands with the privileges of the application server.
Broadcom, which utilizes EBS for a range of global financial and supply chain operations, appears to have had an exposed instance that had not yet been migrated to the secure "Oracle Cloud Infrastructure" (OCI) hardened environment. This allowed Cl0p to gain a persistent foothold and begin a month-long silent exfiltration process.
What’s in the Leak? 2TB of Silicon Secrets
The exfiltrated data includes highly sensitive internal documentation, including:
- Next-Gen Chip Blueprints: Architectural diagrams for Broadcom’s 2027-2028 optical interconnect roadmap.
- Customer Pricing Tiers: Confidential agreement structures with major hyperscalers including AWS and Google.
- ERP Financial Models: Internal projections used for M&A activity and quarterly earnings guidance.
Attack Timeline: Silent Exfiltration
Cl0p utilized a "Slow and Low" egress strategy to avoid detection by traditional network monitoring tools.
- - Feb 14: Initial Foothold gained via CVE-2026-2188.
- - Feb 20: Lateral movement to the central file server.
- - Feb 22 - Mar 14: Silent exfiltration of 2.1TB via encrypted HTTPS chunks.
- - Mar 16: Public leak of 10% sample after Broadcom refused a $50M demand.
Supply Chain Implications
The breach of Broadcom is more than a single corporate failure; it is a **supply chain risk** for the entire semiconductor industry. If the leaked blueprints contain proprietary IP related to PCIe 7.0/8.0 or high-speed SerDes, it could accelerate the development of competing products in restricted markets.
Oracle has issued an emergency patch for EBS today, urging all on-premises customers to disconnect the `/OA_HTML/` path from the public internet immediately. For Broadcom, the focus now shifts to damage control and legal fallout as the Cl0p group threatens to release the remaining 90% of the dataset by Friday.