Executive Summary

Harvard University has confirmed a data breach resulting from the exploitation of a zero-day vulnerability, CVE-2025-61882, in the Oracle E-Business Suite (EBS). The attack, attributed to the Cl0p ransomware group, led to the exfiltration and subsequent leak of approximately 1.3 terabytes of data. The breach was limited to a small administrative unit within the university, with no evidence of compromise to other systems. The incident is part of a broader campaign targeting organizations using Oracle EBS, with dozens of victims reported globally. The attackers leveraged unauthenticated remote access and likely abused default password reset mechanisms to obtain credentials, enabling mass data theft and extortion. Law enforcement and cybersecurity agencies have classified the vulnerability as critical, urging immediate patching and enhanced monitoring. The breach underscores the risks associated with third-party enterprise software in higher education and other sectors reliant on Oracle EBS. All information in this summary is directly supported by the cited sources below.

Technical Information

The breach at Harvard University was executed through exploitation of a critical zero-day vulnerability, CVE-2025-61882, in the Oracle E-Business Suite. This vulnerability, rated CVSS 9.8, allows unauthenticated remote attackers to take control of the Oracle Concurrent Processing component via HTTP. The affected versions are Oracle EBS 12.2.3 through 12.2.14 (BI Publisher Integration). The attack chain began with the exploitation of this public-facing application vulnerability, providing initial access to the attackers (BleepingComputer, 2025-10-13; Security Affairs, 2025-10-14).

Following initial access, the attackers likely exploited the default password reset functionality within Oracle EBS to obtain valid user credentials. This method of credential access was reported by Halcyon and corroborated by Mandiant and Google Threat Intelligence Group (Security Affairs, 2025-10-14). With these credentials, the attackers were able to move laterally within the affected administrative unit, leveraging hundreds of compromised accounts to facilitate data collection and exfiltration (The Record, 2025-10-13).

The attackers exfiltrated approximately 1.3 TB of data, including financial, human resources, customer, supplier, and inventory information. The sensitivity of the stolen data varied by victim, but the volume and nature of the data indicate a significant breach of confidential information (Security Affairs, 2025-10-14). The Cl0p ransomware group subsequently listed Harvard University on its Tor-based leak site, threatening to release the stolen data unless a ransom was paid. Extortion emails were sent to university executives, with the attackers providing screenshots and filetree listings as proof of access. Ransom demands reportedly reached seven and eight figures (The Record, 2025-10-13).

Technical analysis by Mandiant and Google Threat Intelligence Group suggests that the attackers may have chained multiple vulnerabilities, including CVE-2025-61882, to maximize access and data theft. The campaign is consistent with previous Cl0p operations, which have targeted enterprise software zero-days for mass data theft and extortion. Notably, the group has previously exploited zero-days in Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer products (BleepingComputer, 2025-10-13).

The attack methods align with several MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application) for initial access, T1078 (Valid Accounts) for credential access, T1078.002 (Domain Accounts) for lateral movement, T1005 (Data from Local System) for data collection, T1041 (Exfiltration Over C2 Channel) for data exfiltration, and T1486 (Data Encrypted for Impact) for extortion, though no encryption was reported in this case.

Attribution to the Cl0p group is supported by direct claims, technical overlap, and third-party confirmation from CrowdStrike, Mandiant, and Google TIG. There is moderate confidence in the involvement of FIN11 affiliates, as at least one compromised account was linked to this financially motivated group (Security Affairs, 2025-10-14).

No specific malware samples or hashes have been disclosed in the available sources, but the use of custom data theft and extortion toolkits by Cl0p is well documented. The campaign demonstrates a high level of automation and operational sophistication, with rapid exploitation and mass extortion tactics.

The breach highlights the vulnerability of higher education institutions and other sectors that rely on complex enterprise resource planning (ERP) systems like Oracle EBS. The incident also underscores the importance of timely patch management, monitoring for credential abuse, and the need for robust incident response capabilities.

Affected Versions & Timeline

The vulnerability exploited in this campaign, CVE-2025-61882, affects Oracle E-Business Suite versions 12.2.3 through 12.2.14 (BI Publisher Integration). Oracle released an emergency patch for this vulnerability in early October 2025, following reports of active exploitation (BleepingComputer, 2025-10-13; Security Affairs, 2025-10-14).

The attack campaign began in late September 2025, with the first observed extortion emails from the Cl0p group sent to targeted organizations, including Harvard University. The university was publicly listed on the Cl0p leak site on October 12, 2025. Oracle issued its advisory and emergency patch shortly thereafter. Harvard University applied the patch upon receipt and began monitoring for further compromise. As of October 14, 2025, there is no evidence of compromise to other university systems, and the breach appears limited to a small administrative unit (The Record, 2025-10-13; Security Affairs, 2025-10-14).

The FBI and UK National Cyber Security Centre (NCSC) have issued advisories urging all Oracle EBS customers to patch immediately and monitor for signs of compromise, warning that exploit activity could escalate rapidly (The Record, 2025-10-13).

Threat Activity

The threat activity in this incident is attributed to the Cl0p ransomware group, also known as Graceful Spider, with moderate confidence in the involvement of FIN11 affiliates. The group is known for exploiting zero-day vulnerabilities in widely used enterprise software to conduct mass data theft and extortion campaigns.

In this case, the attackers exploited CVE-2025-61882 in Oracle EBS to gain unauthenticated remote access. They likely abused the default password reset mechanism to obtain valid credentials, enabling lateral movement and access to sensitive data. The attackers used hundreds of compromised accounts to collect and exfiltrate approximately 1.3 TB of data from Harvard University, including financial, HR, customer, supplier, and inventory information.

The Cl0p group initiated extortion by sending emails to university executives, threatening to leak the stolen data unless a ransom was paid. The group provided evidence of access through screenshots and filetree listings. Harvard University was subsequently listed on the Cl0p leak site, with the group announcing the imminent release of the stolen data.

This campaign is part of a broader wave of attacks targeting organizations using Oracle EBS, with dozens of victims reported and expectations of many more. The attackers have demonstrated a high level of automation and operational speed, exploiting the vulnerability before many organizations could apply the emergency patch.

The incident highlights the ongoing threat posed by ransomware groups exploiting supply chain and third-party software vulnerabilities, particularly in sectors that rely on complex ERP systems.

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: Immediate application of the emergency patch for CVE-2025-61882 on all affected Oracle E-Business Suite instances is essential. Organizations should verify that all systems running versions 12.2.3 through 12.2.14 (BI Publisher Integration) are updated with the latest security fixes from Oracle (Oracle Security Advisory, October 2025).

Critical: Isolate potentially affected Oracle EBS servers from the network if compromise is suspected. Conduct a comprehensive forensic review to identify unauthorized access, credential abuse, and data exfiltration.

High: Monitor for signs of credential abuse, including unauthorized password resets and anomalous login activity. Review all user accounts for suspicious changes and reset credentials as necessary.

High: Enhance monitoring of network traffic for indicators of data exfiltration, particularly large outbound transfers from Oracle EBS servers.

High: Review and restrict access to administrative functions within Oracle EBS, ensuring that only authorized personnel have access to sensitive operations.

Medium: Implement multi-factor authentication (MFA) for all accounts with access to Oracle EBS and associated administrative systems.

Medium: Regularly review and update incident response plans to ensure rapid detection and containment of similar attacks.

Low: Provide user awareness training on phishing and credential theft tactics, as attackers may use social engineering in conjunction with technical exploits.

Organizations are strongly advised to follow guidance from law enforcement and regulatory agencies, including the FBI and UK NCSC, and to stay informed of updates from Oracle and trusted threat intelligence sources.

References

https://www.bleepingcomputer.com/news/security/harvard-investigating-breach-linked-to-oracle-zero-day-exploit/ (October 13, 2025)

https://therecord.media/harvard-says-limited-number-linked-to-data-theft (October 13, 2025)

https://securityaffairs.com/183379/security/harvard-university-hit-in-oracle-ebs-cyberattack-1-3-tb-of-data-leaked-by-cl0p-group.html (October 14, 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and software providers. Our platform enables continuous visibility into supply chain exposures, supports rapid incident response coordination, and facilitates compliance with regulatory requirements for third-party risk. For questions or further information, please contact us at ops@rescana.com.