VMware Company Cyber Security Posture

broadcom.com

VMware by Broadcom delivers software that unifies and streamlines hybrid cloud environments for the worldโ€™s most complex organizations. By combining public-cloud scale and agility with private-cloud security and performance, we empower our customers to modernize, optimize and protect their apps and businesses everywhere. Capable of deployment in the software-defined data center, cloud environments, any app and the enterprise edge, our comprehensive software portfolio makes global enterprises more innovative, connected, resilient and secure.

VMware Company Details

Linkedin ID:

vmware

Employees number:

15729 employees

Number of followers:

2017559.0

NAICS:

511

Industry Type:

Software Development

Homepage:

broadcom.com

IP Addresses:

555

Company ID:

VMW_1948473

Scan Status:

In-progress

AI scoreVMware Risk Score (AI oriented)

Between 900 and 1000

This score is AI-generated and less favored by cyber insurers, who prefer the TPRM score.

globalscoreVMware Global Score
blurone
Ailogo

VMware Company Scoring based on AI Models

Model NameDateDescriptionCurrent Score DifferenceScore
AVERAGE-Industry03-12-2025

This score represents the average cybersecurity rating of companies already scanned within the same industry. It provides a benchmark to compare an individual company's security posture against its industry peers.

N/A

Between 900 and 1000

VMware Company Cyber Security News & History

Past Incidents
9
Attack Types
3
EntityTypeSeverityImpactSeenUrl IDDetailsView
SymantecBreach60302/2019SYM1336271222Link
Rankiteo Explanation :
Attack with significant impact with internal employee data leaks

Description: Security firm Symantec was attacked by a hacker back in February 2021 in which the hackers extracted some of the data. This comprises not only passwords but a list of Symantec clients -- including government agencies. The hacker was able to access a list of clients using Symantec's CloudSOC services, account managers and account numbers.

VMwareRansomware10057/2024VMW000072224Link
Rankiteo Explanation :
Attack threatening the organizationโ€™s existence

Description: The SEXi ransomware, which recently rebranded itself as APT INC, continues to plague VMware's ESXi servers, causing significant disruptions to services and potentially leaking sensitive customer data. The attacks underscore the critical vulnerabilities within the ESXi platform and the importance of robust security measures to prevent such incidents.

VMwareRansomware10052/2025VMW403030325Link
Rankiteo Explanation :
Attack threatening the organizationโ€™s existence

Description: VMware experienced critical flaws in their ESXi and vCenter products, which were heavily exploited by ransomware gangs and state actors, causing considerable disruptions. The vulnerabilities, such as CVE-2024-38812, CVE-2024-37085, and CVE-2024-38813, highlighted shortcomings in Broadcom's security responses, with incomplete patching and delays in acknowledgment. This allowed attackers to capitalize on these exploits, leading to ransomware infections and data breaches that potentially compromised personal and financial information, causing significant operational and security challenges for the company and its clients.

VMwareRansomware10043/2025VMW423032425Link
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: A series of critical vulnerabilities in VMware's virtualization products have led to a widespread wave of ransomware attacks, compromising the infrastructures of numerous enterprises. Exploiting three CVEsโ€”CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226โ€”attackers gain elevated privileges, escape VM containment and enact widespread encryption. The healthcare and financial sectors were particularly hit, leading to encrypted patient record systems and transaction databases with ransoms ranging from $2 to $5 million. The severity of the impact was exacerbated by oversights in security monitoring, ineffective segmentation, and delay in implementing available patches. Despite the vulnerabilities being patched by Broadcom, the immediate need for urgent patch application and heightened vigilance remains crucial.

VMwareRansomware1005/2025VMW222051225Link
Rankiteo Explanation :
Attack threatening the organization's existence: Attack in which the personal and financial information is compromised, Attack which stop a factory, Attack which take over on all data from a company, Attack which take specific data like patents, Attack in which company is requested to pay a ransom or ransomware involved

Description: Hackers are exploiting the legitimate employee monitoring tool Kickidler to obtain login credentials and deploy ransomware encryptors. The attack begins with a poisoned ad on the Google Ads network, leading to a trojanized version of RVTools. This version deploys a backdoor called SMOKEDHAM, which is then used to install Kickidler. The tool is specifically used to target enterprise administrators and their login credentials. The goal is to infiltrate the network and deploy the encryptor. The payloads targeted VMware ESXi infrastructure, encrypting VMDK virtual hard drives. The groups Qilin and Hunters International are focused on cloud backups but have faced challenges due to defenders decoupling backup system authentication from Windows domains.

BroadcomRansomware10045/2025BRO325051825Link
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom. The HR department has begun informing affected current and former staff. The attack, claimed by the El Dorado ransomware group, resulted in the compromise of personal data including National ID numbers, financial account numbers, and personal contact information. The data was made available on the internet, affecting 560 users and potentially opening up the attack surface to 35 additional companies. Broadcom urged affected individuals to enable multi-factor authentication and monitor financial records for unauthorized activity.

SymantecVulnerability60306/2016SYM44121823Link
Rankiteo Explanation :
Attack with significant impact with internal employee data leaks

Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.

VMwareVulnerability8534/2025VMW806040125Link
Rankiteo Explanation :
Attack with significant impact with internal employee data leaks

Description: VMware has announced a critical security issue VMSA-2025-0006, a high-severity vulnerability affecting Aria Operations. This vulnerability, CVE-2025-22231, enables attackers with local access to escalate privileges to root level, potentially resulting in full system control. This may lead to unauthorized data access, service disruptions, or further network compromise. Important to note is that exploitation requires existing local administrative access. Targeted systems include VMware Aria Operations, Cloud Foundation, and Telco Cloud platforms. While patches are available, unpatched systems are still at risk. The flawโ€™s discovery was credited to researchers from MoyunSec Vlab.

BroadcomVulnerability2517/2025BRO809071525Link
Rankiteo Explanation :
Attack without any consequences

Description: A critical security vulnerability has been discovered in Broadcomโ€™s Symantec Endpoint Management Suite that enables unauthenticated remote code execution, posing significant risks to enterprise IT infrastructure. The flaw, designated CVE-2025-5333 with a severe CVSS v4.0 score of 9.5, affects multiple versions of the widely-deployed endpoint management solution and has prompted immediate mitigation recommendations from security experts. The vulnerability resides in the Symantec Altiris Inventory Rule Management (IRM) component, specifically targeting an exposed legacy .NET Remoting endpoint.

VMware Company Subsidiaries

SubsidiaryImage

VMware by Broadcom delivers software that unifies and streamlines hybrid cloud environments for the worldโ€™s most complex organizations. By combining public-cloud scale and agility with private-cloud security and performance, we empower our customers to modernize, optimize and protect their apps and businesses everywhere. Capable of deployment in the software-defined data center, cloud environments, any app and the enterprise edge, our comprehensive software portfolio makes global enterprises more innovative, connected, resilient and secure.

Loading...

Access Data Using Our API

SubsidiaryImage

Get company history

curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=vmware' -H 'apikey: YOUR_API_KEY_HERE'
newsone

VMware Cyber Security News

2025-03-05T08:00:00.000Z
Broadcom urges customers to patch 3 zero-day VMware flaws

Cyberattackers with administrative access are actively exploiting vulnerabilities in ESXi, Workstation and Fusion products.

2024-07-22T22:16:33.000Z
Security and Resiliency Solutions

Get End-to-end protection, detection, risk management, and cyber recovery for VMware Cloud Foundation.

2025-03-04T08:00:00.000Z
CISA, VMware warn of new vulnerabilities being exploited by hackers

Federal civilian agencies have three weeks to resolve three recently reported vulnerabilities affecting products from technology giant VMwareย ...

2025-03-04T08:00:00.000Z
VMware Security Flaws Exploited in the Wildโ€”Broadcom Releases Urgent Patches

Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion productsย ...

2025-06-26T14:42:17.000Z
HPE OneView for VMware vCenter Allows Escalation of Privileges

A significant security vulnerability in Hewlett Packard Enterprise OV4VC platform that could allow attackers with limited access.

2024-11-05T08:00:00.000Z
VMware boosts GenAI, cybersecurity and sovereign cloud

VMware is adding new Advanced Services to its Cloud Foundation (VCF). These enhancements aim to strengthen three critical aspects of digital businessย ...

2025-01-16T08:00:00.000Z
VMware Cloud Foundation embeds security into the private cloud

Private cloud and AI features in VMware Cloud Foundation. The VMware Cloud Foundation is a private cloud platform that manages enterpriseย ...

2025-05-20T07:00:00.000Z
NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch

VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available.

2025-03-05T08:00:00.000Z
Broadcom urges VMware customers to patch โ€˜emergencyโ€™ zero-day bugs under active exploitation

U.S. technology giant Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by malicious hackers to compromiseย ...

similarCompanies

VMware Similar Companies

Daraz

Daraz is the leading e-commerce marketplace across South Asia (excluding India). Our business covers four key areas โ€“ e-commerce, logistics, payment infrastructure and financial services โ€“ providing our sellers and customers with an end-to-end commerce solution. With access to over 500 million custo

Juniper Networks

Juniper Networks is leading the revolution in networking, making it one of the most exciting technology companies in Silicon Valley today. Since being founded by Pradeep Sindhu, Dennis Ferguson, and Bjorn Liencres nearly 20 years ago, Juniperโ€™s sole mission has been to create innovative products and

Siemens Digital Industries Software

We help organizations of all sizes digitally transform using software, hardware and services from the Siemens Xcelerator business platform. Our software and the comprehensive digital twin enable companies to optimize their design, engineering and manufacturing processes to turn today's ideas into th

TRIRIGA

Named by foremost analyst firm AMR Research as the leader in sustainability software and top industry analysts as a leader in Integrated Workplace Management Systems, TRIRIGA, an IBM Company provides enterprise sustainability, real estate and facilities management solutions. TRIRIGA delivers the ind

Just Eat Takeaway.com

Just Eat Takeโ€‹awayโ€‹.com is a leadยญing globยญal online delivยญery marยญketยญplace, conยญnectยญing conยญsumers and restauยญrants through our platยญform in 19 counยญtries. Like a dinner table, working at JET brings our office employees and couriers together. From coding to customer service to couriers, JET is a

Instacart

Instacart, the leading grocery technology company in North America, works with grocers and retailers to transform how people shop. The company partners with more than 1,500 national, regional, and local retail banners to facilitate online shopping, delivery and pickup services from more than 85,000

faq

Frequently Asked Questions

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.

VMware CyberSecurity History Information

How many cyber incidents has VMware faced?

Total Incidents: According to Rankiteo, VMware has faced 9 incidents in the past.

What types of cybersecurity incidents have occurred at VMware?

Incident Types: The types of cybersecurity incidents that have occurred incidents Ransomware, Breach and Vulnerability.

How does VMware detect and respond to cybersecurity incidents?

Detection and Response: The company detects and responds to cybersecurity incidents through containment measures with Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service and remediation measures with Limit .NET Remoting access to localhost-only in upcoming releases and communication strategy with Urged affected individuals to enable multi-factor authentication and monitor financial records for unauthorized activity and remediation measures with Patches available and network segmentation with Ineffective segmentation and enhanced monitoring with Oversights in security monitoring.

Incident Details

Can you provide details on each incident?

Incident : Vulnerability

Title: Critical Security Vulnerability in Broadcomโ€™s Symantec Endpoint Management Suite

Description: A critical security vulnerability (CVE-2025-5333) has been discovered in Broadcomโ€™s Symantec Endpoint Management Suite that enables unauthenticated remote code execution, posing significant risks to enterprise IT infrastructure.

Date Detected: May 2025

Type: Vulnerability

Attack Vector: Unauthenticated Remote Code Execution (RCE)

Vulnerability Exploited: CVE-2025-5333

Incident : Ransomware

Title: Ransomware Attack at Broadcom via Middle Eastern Business Partner

Description: A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom. The HR department has begun informing affected current and former staff. The attack, claimed by the El Dorado ransomware group, resulted in the compromise of personal data including National ID numbers, financial account numbers, and personal contact information. The data was made available on the internet, affecting 560 users and potentially opening up the attack surface to 35 additional companies. Broadcom urged affected individuals to enable multi-factor authentication and monitor financial records for unauthorized activity.

Type: Ransomware

Attack Vector: Ransomware

Threat Actor: El Dorado ransomware group

Motivation: Data theft and ransom

Incident : Ransomware

Title: Exploitation of Kickidler for Ransomware Deployment

Description: Hackers are exploiting the legitimate employee monitoring tool Kickidler to obtain login credentials and deploy ransomware encryptors. The attack begins with a poisoned ad on the Google Ads network, leading to a trojanized version of RVTools. This version deploys a backdoor called SMOKEDHAM, which is then used to install Kickidler. The tool is specifically used to target enterprise administrators and their login credentials. The goal is to infiltrate the network and deploy the encryptor. The payloads targeted VMware ESXi infrastructure, encrypting VMDK virtual hard drives. The groups Qilin and Hunters International are focused on cloud backups but have faced challenges due to defenders decoupling backup system authentication from Windows domains.

Type: Ransomware

Attack Vector: Poisoned ad on Google Ads network, Trojanized RVTools, SMOKEDHAM backdoor

Vulnerability Exploited: Kickidler employee monitoring tool

Threat Actor: Qilin, Hunters International

Motivation: Obtain login credentials and deploy ransomware encryptors

Incident : Vulnerability

Title: VMware VMSA-2025-0006 Privilege Escalation Vulnerability

Description: VMware has announced a critical security issue VMSA-2025-0006, a high-severity vulnerability affecting Aria Operations. This vulnerability, CVE-2025-22231, enables attackers with local access to escalate privileges to root level, potentially resulting in full system control. This may lead to unauthorized data access, service disruptions, or further network compromise. Important to note is that exploitation requires existing local administrative access. Targeted systems include VMware Aria Operations, Cloud Foundation, and Telco Cloud platforms. While patches are available, unpatched systems are still at risk. The flawโ€™s discovery was credited to researchers from MoyunSec Vlab.

Type: Vulnerability

Attack Vector: Local Access

Vulnerability Exploited: CVE-2025-22231

Motivation: Privilege Escalation

Incident : Ransomware

Title: Widespread Ransomware Attacks Exploiting VMware Vulnerabilities

Description: A series of critical vulnerabilities in VMware's virtualization products have led to a widespread wave of ransomware attacks, compromising the infrastructures of numerous enterprises. Exploiting three CVEsโ€”CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226โ€”attackers gain elevated privileges, escape VM containment and enact widespread encryption. The healthcare and financial sectors were particularly hit, leading to encrypted patient record systems and transaction databases with ransoms ranging from $2 to $5 million. The severity of the impact was exacerbated by oversights in security monitoring, ineffective segmentation, and delay in implementing available patches. Despite the vulnerabilities being patched by Broadcom, the immediate need for urgent patch application and heightened vigilance remains crucial.

Type: Ransomware

Attack Vector: Exploiting vulnerabilities in VMware virtualization products

Vulnerability Exploited: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

Motivation: Financial gain

Incident : Cyber Exploitation

Title: VMware Critical Flaws Exploitation

Description: VMware experienced critical flaws in their ESXi and vCenter products, which were heavily exploited by ransomware gangs and state actors, causing considerable disruptions. The vulnerabilities, such as CVE-2024-38812, CVE-2024-37085, and CVE-2024-38813, highlighted shortcomings in Broadcom's security responses, with incomplete patching and delays in acknowledgment. This allowed attackers to capitalize on these exploits, leading to ransomware infections and data breaches that potentially compromised personal and financial information, causing significant operational and security challenges for the company and its clients.

Type: Cyber Exploitation

Attack Vector: Vulnerability Exploitation, Ransomware Infection, Data Breach

Vulnerability Exploited: CVE-2024-38812, CVE-2024-37085, CVE-2024-38813

Threat Actor: Ransomware Gangs, State Actors

Motivation: Financial Gain, Data Theft

Incident : Ransomware

Title: SEXi Ransomware Attack on VMware ESXi Servers

Description: The SEXi ransomware, which recently rebranded itself as APT INC, continues to plague VMware's ESXi servers, causing significant disruptions to services and potentially leaking sensitive customer data. The attacks underscore the critical vulnerabilities within the ESXi platform and the importance of robust security measures to prevent such incidents.

Type: Ransomware

Attack Vector: Exploitation of vulnerabilities in VMware ESXi servers

Vulnerability Exploited: Critical vulnerabilities within the ESXi platform

Threat Actor: SEXi ransomware (rebranded as APT INC)

Motivation: Disruption of services and potential data leakage

Incident : Vulnerability Exploit

Title: Symantec and Norton Vulnerabilities Identified by Tavis Ormandy

Description: Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.

Type: Vulnerability Exploit

Attack Vector: Executable File

Vulnerability Exploited: File Decompression in Kernel

Motivation: Data Theft

Incident : Data Breach

Title: Symantec Data Breach

Description: Security firm Symantec was attacked by a hacker in February 2021, resulting in the extraction of data including passwords and a list of Symantec clients, including government agencies.

Date Detected: 2021-02-01

Type: Data Breach

What are the most common types of attacks the company has faced?

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

How does the company identify the attack vectors used in incidents?

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Port 4011, Poisoned ad on Google Ads network, VMware virtualization products and Executable File.

Impact of the Incidents

What was the impact of each incident?

Incident : Vulnerability BRO809071525

Systems Affected: Symantec Endpoint Management Suite 8.6.x-8.8

Incident : Ransomware BRO325051825

Data Compromised: National ID numbers, financial account numbers, personal contact information

Identity Theft Risk: True

Payment Information Risk: True

Incident : Ransomware VMW222051225

Data Compromised: Login credentials of enterprise administrators

Systems Affected: VMware ESXi infrastructure

Incident : Vulnerability VMW806040125

Data Compromised: Potential unauthorized data access

Systems Affected: VMware Aria Operations, Cloud Foundation, Telco Cloud platforms

Downtime: Potential service disruptions

Incident : Ransomware VMW423032425

Data Compromised: Patient record systems, Transaction databases

Systems Affected: VMware virtualization products, Patient record systems, Transaction databases

Incident : Cyber Exploitation VMW403030325

Data Compromised: Personal Information, Financial Information

Systems Affected: ESXi, vCenter

Operational Impact: Significant

Incident : Ransomware VMW000072224

Data Compromised: Potentially sensitive customer data

Systems Affected: VMware ESXi servers

Downtime: Significant disruptions to services

Incident : Vulnerability Exploit SYM44121823

Systems Affected: Symantec Enterprise Products

Incident : Data Breach SYM1336271222

Data Compromised: passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers, account numbers

What types of data are most commonly compromised in incidents?

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are National ID numbers, financial account numbers, personal contact information, Login credentials, Patient records, Transaction data, Personal Information, Financial Information, Sensitive customer data, passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers and account numbers.

Which entities were affected by each incident?

Incident : Vulnerability BRO809071525

Entity Type: Organization

Industry: Technology

Incident : Ransomware BRO325051825

Entity Type: Company

Industry: Technology

Customers Affected: 560

Incident : Ransomware VMW222051225

Entity Type: Enterprises

Incident : Vulnerability VMW806040125

Entity Type: Organization

Industry: Technology

Incident : Ransomware VMW423032425

Entity Type: Enterprise

Industry: ['Healthcare', 'Financial']

Incident : Cyber Exploitation VMW403030325

Entity Type: Corporation

Industry: Technology

Incident : Ransomware VMW000072224

Entity Type: Organization

Industry: Technology

Incident : Vulnerability Exploit SYM44121823

Entity Type: Company

Industry: Cybersecurity

Incident : Data Breach SYM1336271222

Entity Type: Security Firm

Industry: Cybersecurity

Response to the Incidents

What measures were taken in response to each incident?

Incident : Vulnerability BRO809071525

Containment Measures: Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service

Remediation Measures: Limit .NET Remoting access to localhost-only in upcoming releases

Incident : Ransomware BRO325051825

Communication Strategy: Urged affected individuals to enable multi-factor authentication and monitor financial records for unauthorized activity

Incident : Vulnerability VMW806040125

Remediation Measures: Patches available

Incident : Ransomware VMW423032425

Network Segmentation: Ineffective segmentation

Enhanced Monitoring: Oversights in security monitoring

Data Breach Information

What type of data was compromised in each breach?

Incident : Ransomware BRO325051825

Type of Data Compromised: National ID numbers, financial account numbers, personal contact information

Number of Records Exposed: 560

Sensitivity of Data: High

Data Exfiltration: True

Personally Identifiable Information: True

Incident : Ransomware VMW222051225

Type of Data Compromised: Login credentials

Sensitivity of Data: High

Incident : Ransomware VMW423032425

Type of Data Compromised: Patient records, Transaction data

Data Encryption: Widespread encryption

Incident : Cyber Exploitation VMW403030325

Type of Data Compromised: Personal Information, Financial Information

Incident : Ransomware VMW000072224

Type of Data Compromised: Sensitive customer data

Sensitivity of Data: High

Incident : Data Breach SYM1336271222

Type of Data Compromised: passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers, account numbers

Data Exfiltration: True

What measures does the company take to prevent data exfiltration?

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Limit .NET Remoting access to localhost-only in upcoming releases, Patches available.

How does the company handle incidents involving personally identifiable information (PII)?

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through were Block port 4011 on firewalls and Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service.

Ransomware Information

Was ransomware involved in any of the incidents?

Incident : Ransomware BRO325051825

Ransomware Strain: El Dorado

Data Exfiltration: True

Incident : Ransomware VMW222051225

Data Encryption: VMDK virtual hard drives

Incident : Ransomware VMW423032425

Ransom Demanded: ['$2 million', '$5 million']

Data Encryption: Widespread encryption

Incident : Ransomware VMW000072224

Ransomware Strain: SEXi (rebranded as APT INC)

Lessons Learned and Recommendations

What lessons were learned from each incident?

Incident : Ransomware VMW000072224

Lessons Learned: Importance of robust security measures to prevent such incidents.

What recommendations were made to prevent future incidents?

Incident : Vulnerability BRO809071525

Recommendations: Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releases

Incident : Ransomware VMW423032425

Recommendations: Urgent patch application, Heightened vigilance

What are the key lessons learned from past incidents?

Key Lessons Learned: The key lessons learned from past incidents are Importance of robust security measures to prevent such incidents.

What recommendations has the company implemented to improve cybersecurity?

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releasesUrgent patch application, Heightened vigilance.

References

Where can I find more information about each incident?

Incident : Vulnerability BRO809071525

Source: Broadcom PSIRT

Incident : Vulnerability BRO809071525

Source: LRQA security researchers

Incident : Vulnerability VMW806040125

Source: VMware

Where can stakeholders find additional resources on cybersecurity best practices?

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Broadcom PSIRT, and Source: LRQA security researchers, and Source: VMware.

Investigation Status

How does the company communicate the status of incident investigations to stakeholders?

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through was Urged affected individuals to enable multi-factor authentication and monitor financial records for unauthorized activity.

Initial Access Broker

How did the initial access broker gain entry for each incident?

Incident : Vulnerability BRO809071525

Entry Point: Port 4011

Incident : Ransomware VMW222051225

Entry Point: Poisoned ad on Google Ads network

Backdoors Established: SMOKEDHAM

High Value Targets: Enterprise administrators

Data Sold on Dark Web: Enterprise administrators

Incident : Ransomware VMW423032425

Entry Point: VMware virtualization products

High Value Targets: Healthcare and financial sectors

Data Sold on Dark Web: Healthcare and financial sectors

Incident : Vulnerability Exploit SYM44121823

Entry Point: Executable File

Post-Incident Analysis

What were the root causes and corrective actions taken for each incident?

Incident : Vulnerability BRO809071525

Root Causes: Insecure deserialization of .NET objects through the BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full

Corrective Actions: Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releases

Incident : Ransomware VMW222051225

Root Causes: Exploitation of Kickidler tool

Incident : Ransomware VMW423032425

Root Causes: Oversights in security monitoring, Ineffective segmentation, Delay in implementing available patches

What is the company's process for conducting post-incident analysis?

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Oversights in security monitoring.

What corrective actions has the company taken based on post-incident analysis?

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releases.

Additional Questions

General Information

What was the amount of the last ransom demanded?

Last Ransom Demanded: The amount of the last ransom demanded was ['$2 million', '$5 million'].

Who was the attacking group in the last incident?

Last Attacking Group: The attacking group in the last incident were an El Dorado ransomware group, Qilin, Hunters International, Ransomware Gangs, State Actors and SEXi ransomware (rebranded as APT INC).

Incident Details

What was the most recent incident detected?

Most Recent Incident Detected: The most recent incident detected was on May 2025.

Impact of the Incidents

What was the most significant data compromised in an incident?

Most Significant Data Compromised: The most significant data compromised in an incident were National ID numbers, financial account numbers, personal contact information, Login credentials of enterprise administrators, Potential unauthorized data access, Patient record systems, Transaction databases, Personal Information, Financial Information, Potentially sensitive customer data, passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers and account numbers.

What was the most significant system affected in an incident?

Most Significant System Affected: The most significant system affected in an incident were Symantec Endpoint Management Suite 8.6.x-8.8 and VMware ESXi infrastructure and VMware Aria Operations, Cloud Foundation, Telco Cloud platforms and VMware virtualization products, Patient record systems, Transaction databases and ESXi, vCenter and VMware ESXi servers and Symantec Enterprise Products.

Response to the Incidents

What containment measures were taken in the most recent incident?

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Block port 4011 on firewalls and Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service.

Data Breach Information

What was the most sensitive data compromised in a breach?

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were National ID numbers, financial account numbers, personal contact information, Login credentials of enterprise administrators, Potential unauthorized data access, Patient record systems, Transaction databases, Personal Information, Financial Information, Potentially sensitive customer data, passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers and account numbers.

What was the number of records exposed in the most significant breach?

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 560.0.

Ransomware Information

What was the highest ransom demanded in a ransomware incident?

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was ['$2 million', '$5 million'].

Lessons Learned and Recommendations

What was the most significant lesson learned from past incidents?

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Importance of robust security measures to prevent such incidents.

What was the most significant recommendation implemented to improve cybersecurity?

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releases, Urgent patch application, Heightened vigilance.

References

What is the most recent source of information about an incident?

Most Recent Source: The most recent source of information about an incident are Broadcom PSIRT, LRQA security researchers and VMware.

Initial Access Broker

What was the most recent entry point used by an initial access broker?

Most Recent Entry Point: The most recent entry point used by an initial access broker were an VMware virtualization products, Poisoned ad on Google Ads network, Executable File and Port 4011.

Post-Incident Analysis

What was the most significant root cause identified in post-incident analysis?

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insecure deserialization of .NET objects through the BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, Exploitation of Kickidler tool, Oversights in security monitoring, Ineffective segmentation, Delay in implementing available patches.

What was the most significant corrective action taken based on post-incident analysis?

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Block port 4011 on firewalls, Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Limit .NET Remoting access to localhost-only in upcoming releases.

What Do We Measure?

revertimgrevertimgrevertimgrevertimg
Incident
revertimgrevertimgrevertimgrevertimg
Finding
revertimgrevertimgrevertimgrevertimg
Grade
revertimgrevertimgrevertimgrevertimg
Digital Assets

Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.

These are some of the factors we use to calculate the overall score:

Network Security

Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.

SBOM (Software Bill of Materials)

Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.

CMDB (Configuration Management Database)

Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.

Threat Intelligence

Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.

Top LeftTop RightBottom LeftBottom Right
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
Users Love Us Badge