Trust Center
Welcome to Broadridge's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.
The goal of the Broadridge Information Security Group (BISG) is to provide guidance to all Broadridge associates and contingent workers on Information Security standards, polices, and procedures so that they can incorporate security into their job functions
The mission of the BISG is to provide the guidance and practical solutions to support the business to ensure the confidentiality, integrity, and availability of Broadridge’s information assets through the implementation and management of the Information Security Management Program. This includes guidance for the collection, use, maintenance, security, and disclosure practices of personal information by Broadridge and its subsidiaries as outlined in the BR Global Privacy Policy. This involves the creation, administration, and communication of policies and
standards to ensure the correct protection mechanisms are in place to support the mission.
The purpose of the Information Security Management Program is to ensure that management is appropriately advised and supported so that Broadridge can effectively implement security controls that enable Broadridge to meet the requirements of Internal Audit, external auditors, applicable regulations, clients, and other parties that trust Broadridge to safeguard their information.
The charter of the BISG is to:
• Identify/assess operational and application risks/vulnerabilities and propose recommendations for mitigation through the utilization of appropriate information security controls. (Risk Assessment)
• Protect against any anticipated threats and hazards of information resources (Security Incidents).
• Establish controls to prevent loss or compromise of information resources. (Data Loss Prevention)
• Promote information security awareness within the organization. (Training and Awareness)
• Establish core competencies of Information Security within the business. (Standardization)
• Provide guidance on user and system access to ensure appropriateness for
business functions (Entitlements Management)
• Establish control frameworks (ex. ISO, HIPAA, PCI, NIST, SSAE-18) gather
evidence, and report to management the state of information security within the business. (Risk & Compliance)
• Govern the processes to ensure the proper disposal of company and client
information
BC/DR
BC/DR
We have a business continuity plan in place to ensure that we can continue to operate in the event of a disaster.
Microsoft Announcement; 56 security vulnerabilities across Windows, Office, Exchange Server, and other components
BROADRIDGE RESPONSE STATEMENT
On December 9th, 2025, Broadridge was notified about a recent announcement from Microsoft where they released its final Patch Tuesday updates addressing 56 security vulnerabilities across Windows, Office, Exchange Server, and other components. This patch includes three zero-day flaws (CVE-2025-62221, CVE-2025-64671, and CVE-2025-54100): two publicly disclosed remote code execution issues and one actively exploited elevation of privilege vulnerability.
The vulnerabilities CVE-2025-62221, CVE-2025-64671, and CVE-2025-54100 represent a meaningful security risk to Windows environments and developer workstations by enabling privilege escalation and arbitrary code execution. CVE-2025-62221 is the most critical, as it is actively exploited in the wild and allows a local attacker to escalate privileges to full SYSTEM control through a flaw in the Windows Cloud Files Mini Filter Driver, significantly increasing the impact of any initial compromise. CVE-2025-64671 affects GitHub Copilot for JetBrains IDEs and permits command injection leading to code execution on a developer’s machine through malicious prompts or project content, raising concerns around AI-assisted development and supply-chain security. CVE-2025-54100 impacts Windows PowerShell, where improper handling of web-sourced content can result in unintended code execution when users run certain commands against untrusted sources. Together, these vulnerabilities underscore the importance of timely patching, secure development practices, and heightened monitoring for privilege escalation and suspicious command execution.
Broadridge has investigated the Microsoft Vulnerabilities (CVE-2025-62221, CVE-2025-64671, and CVE-2025-54100) and has determined that there is no threat to Broadridge as our SCCM automatically pushes patches in our environment when they are released. Currently there have been no signs of these vulnerabilities across our environment but Broadridge continues to continuously monitor its environments to ensure our clients, customers, stakeholders, and associates remain unaffected by today’s cyber threats.
Thank you,
Broadridge
©
MongoBleed (CVE-2025-14847
Threat Response January 15, 2026
BROADRIDGE RESPONSE STATEMENT
On December 29th, 2025, Broadridge was notified about a recent announcement by the Cybersecurity and Infrastructure Security Agency (CISA) regarding MongoDB servers (CVE-2025-14847) which have been actively exploited in the wild. CVE-2025-14847, also known as “MongoBleed”, stems from improper handling of length fields in zlib-compressed network protocol messages, allowing unauthenticated remote attackers to coerce MongoDB into returning uninitialized heap memory to the client.
Affected versions of the MongoBleed (CVE-2025-14847) include:
• MongoDB Server v7.0 prior to 7.0.28 versions
• MongoDB Server v8.0 versions prior to 8.0.17
• MongoDB Server v8.2 versions prior to 8.2.3
• MongoDB Server v6.0 versions prior to 6.0.27
• MongoDB Server v5.0 versions prior to 5.0.32
• MongoDB Server v4.4 versions prior to 4.4.30
• MongoDB Server v4.2 versions greater than or equal to 4.2.0
• MongoDB Server v4.0 versions greater than or equal to 4.0.0
• MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Affected versions should be upgraded to versions equal or greater to the below versions:
• Version 7.0.28
• Version 8.0.17
• Version 8.2.3
• Version 6.0.27
• Version to 5.0.32
• Version 4.4.30
Broadridge has investigated MongoBleed vulnerability (CVE-2025-14847) across the enterprise and has detected a few vulnerable versions of MongoDB. Broadridge has patched most of the instances to the non-vulnerable versions and is in the final stage of upgrading the last few instances. All identified remaining versions will be patched by January 19th, 2025. Broadridge continues to continuously monitor its environments to ensure our clients, customers, stakeholders, and associates remain unaffected by today’s cyber threats.
Thank you, Broadridge
React2Shell remote code execution flaw, CVE-2025-55182 and CVE-2025-66478
Broadridge Threat Response December 10th, 2025
On December 3rd, Broadridge was informed of a critical vulnerability, React2Shell remote code execution flaw, CVE-2025-55182 and CVE-2025-66478. More details over the React2Shell vulnerability can be viewed at: NVD - CVE-2025-55182 and NVD - CVE-2025-66478
Broadridge has examined our perimeter systems, applied patches/mitigation as needed, and current scans have found no trace of the React2Shell vulnerability. Broadridge is continuously monitoring our environments to ensure our clients, customers, stakeholders, and associates remain unaffected.
Threat Actors Targeting Vulnerable F5 Devices.
Threat Response October 17, 2025
BROADRIDGE RESPONSE STATEMENT
On October 15th, 2025, Broadridge was notified about a recent announcement regarding an F5 data breach where hackers stole source code and other data. The company revealed that a sophisticated nation-state threat actor had gained long- term access to internal systems, exfiltrating sensitive files including BIG-IP source code and details on undisclosed vulnerabilities.
F5’s investigation found no signs of compromise in its software supply chain, including build systems or released code. However, the breach may impact some customers. A limited portion of the stolen files from its knowledge platform contained configuration information related to specific BIG-IP deployments.
To protect users, F5 issued critical patches in its October 2025 Quarterly Security Notification. These updates cover BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Customers are strongly encouraged to install the patches immediately, even though no active exploitation has been detected.
In response to the F5 data breach, Broadridge has investigated and identified 15 internet-facing devices, which were immediately acted upon by implementing a remediation plan, which will result in all 15 devices addressed in accordance with patch guidance instructed by F5, by October 19th. Broadridge is continuously monitoring our environments to ensure our clients, customers, stakeholders, and associates remain unaffected.
Please see the following resources for more information:
CISA Emergency Directive: https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
f5 Security Incident Details: https://my.f5.com/manage/s/article/K000154696
F5 Security Advisory: https://my.f5.com/manage/s/article/K000156572
Thank you, Broadridge
RedHat Consulting's Gitlab Environment
Threat Response October 14, 2025
BROADRIDGE RESPONSE STATEMENT
On October 8, 2025, Broadridge was notified of public reports concerning a potential breach involving Red Hat Consulting’s GitLab environment, as referenced by multiple cybersecurity sources.
In response to this reported Red Hat Consulting GitLab incident (no CVE assigned, as this represents a third-party exposure rather than a product vulnerability), Broadridge reviewed potential links and determined:
• The investigation found no evidence of Broadridge data exposure and confirmed that the referenced Red Hat Consulting “Customer Engagement Report (CER)” did not contain client data, authentication tokens, credentials, or internal system details.
• There is no indication of impact to Broadridge systems, data, or client environments.
Thankyou,
Broadridge