Executive Summary

The University of Pennsylvania has confirmed a significant data breach following the exploitation of a zero-day vulnerability in the Oracle E-Business Suite (EBS), in conjunction with a sophisticated social engineering attack. The incident, discovered on October 31, 2025, resulted in unauthorized access to systems related to the university’s development and alumni activities. Attackers obtained sensitive personal information, including names and other personal identifiers, as well as documents related to donors and financial transactions. The breach is part of a broader campaign attributed to the Clop ransomware group, which has targeted nearly 100 organizations using the same Oracle EBS vulnerability (CVE-2025-61882) since August 2025. The university’s medical records systems were not affected. The University of Pennsylvania has notified the FBI, is working with third-party cybersecurity experts including CrowdStrike, and is in the process of notifying affected individuals as required by law. All systems have been restored and are fully operational. The investigation is ongoing, and the university continues to assess the full scope of the breach. All information in this summary is directly sourced from the University of Pennsylvania’s official FAQ (https://university-communications.upenn.edu/data-incident), BleepingComputer (https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/), and TechCrunch (https://techcrunch.com/2025/11/05/university-of-pennsylvania-confirms-hacker-stole-data-during-cyberattack/).

Technical Information

The breach at the University of Pennsylvania was executed through a combination of social engineering and exploitation of a zero-day vulnerability in the Oracle E-Business Suite (EBS), specifically CVE-2025-61882. The attack began with social engineering tactics, likely including phishing or impersonation, to obtain valid credentials from university staff. These credentials were then used to access critical systems, including the university’s Salesforce Customer Relationship Management (CRM) platform, file repositories such as SharePoint and Box, a reporting application (Qlikview), and Marketing Cloud.

Once initial access was achieved, the attackers exploited the Oracle EBS zero-day vulnerability to escalate their privileges and exfiltrate sensitive data. The exploitation of CVE-2025-61882 allowed the attackers to bypass existing security controls and directly access files containing personal information. The breach is part of a coordinated campaign by the Clop ransomware group, which has targeted multiple organizations in the higher education, media, and transportation sectors using the same vulnerability.

The attackers’ activities included sending fraudulent emails from compromised university accounts to the broader community, threatening to leak stolen data and demanding that recipients cease financial contributions to the university. The university’s official communications confirm that the breach was limited to development and alumni systems, with no evidence that medical records or systems associated with Penn Medicine or Penn Wellness were affected.

Technical analysis of the attack aligns with several MITRE ATT&CK techniques. The initial access phase involved T1566 (Phishing) and T1078 (Valid Accounts), as attackers used social engineering to obtain credentials. The exploitation of the Oracle EBS zero-day corresponds to T1190 (Exploit Public-Facing Application). The attackers also leveraged T1556 (Modify Authentication Process), as some high-ranking officials reportedly had exemptions from multi-factor authentication (MFA), increasing the risk of credential compromise. Data collection and exfiltration activities are mapped to T1005 (Data from Local System), T1114 (Email Collection), and T1041 (Exfiltration Over C2 Channel). The extortion component of the attack, involving threats to leak data, aligns with T1486 (Data Encrypted for Impact), although there is no evidence of ransomware deployment or file encryption at the university.

No specific malware samples or command-and-control infrastructure have been publicly disclosed in relation to this incident. The attribution to the Clop ransomware group is based on campaign patterns, sector targeting, and statements from law enforcement and cybersecurity researchers, rather than direct technical artifacts from the University of Pennsylvania’s environment.

The breach underscores the vulnerability of higher education institutions to both social engineering and supply chain attacks, particularly those involving widely used enterprise software such as Oracle EBS. The incident has prompted a regulatory and law enforcement response, including notification of the FBI and the involvement of third-party cybersecurity experts. The U.S. State Department has offered a $10 million bounty for information linking the Clop group’s activities to a foreign government, reflecting the severity and potential geopolitical implications of the campaign.

Affected Versions & Timeline

The primary vulnerability exploited in this incident is CVE-2025-61882, a zero-day flaw in the Oracle E-Business Suite (EBS) financial application. The specific versions of Oracle EBS affected have not been publicly disclosed, but the vulnerability was present in versions deployed by the University of Pennsylvania and at least 99 other organizations targeted in the same campaign.

The timeline of the incident is as follows: In August 2025, attackers began exploiting the Oracle EBS zero-day vulnerability as part of a coordinated campaign. On October 31, 2025, the University of Pennsylvania discovered unauthorized access to its development and alumni systems. The university rapidly locked down affected systems and initiated an investigation. On November 5, 2025, the university publicly confirmed that data had been stolen and began the process of notifying affected individuals. By December 2, 2025, the university had updated its public FAQ and confirmed ongoing collaboration with law enforcement and cybersecurity experts.

The university has stated that all affected systems have been restored and are fully operational. Patches issued by Oracle to address CVE-2025-61882 have been applied. The exact number of individuals affected remains under investigation, but breach notification letters filed with the Maine Attorney General indicate that at least 1,488 individuals had personal information compromised, with the potential for a much larger impact.

Threat Activity

The threat activity associated with this breach is consistent with the tactics, techniques, and procedures (TTPs) of the Clop ransomware group. The group is known for exploiting zero-day vulnerabilities in widely used enterprise software to gain access to sensitive data, followed by extortion attempts. In this case, the attackers used social engineering to obtain credentials, exploited the Oracle EBS zero-day, and exfiltrated personal and financial data.

The attackers sent fraudulent emails from compromised university accounts, threatening to leak stolen data and attempting to extort the university and its community. The Clop group has not yet listed the University of Pennsylvania on its leak site, suggesting that negotiations may be ongoing or that a ransom may have been paid, although there is no direct evidence to confirm either scenario.

The broader campaign has targeted other high-profile organizations, including Harvard University, The Washington Post, GlobalLogic, Logitech, and Envoy Air (an American Airlines subsidiary). The U.S. State Department’s involvement and the $10 million bounty for information on Clop’s activities highlight the campaign’s significance and the potential for state-sponsored involvement.

The university’s response has included rapid system lockdown, forensic investigation with the assistance of CrowdStrike, notification of law enforcement, and ongoing communication with affected individuals. There is no evidence that the stolen data has been publicly disclosed or misused for fraudulent purposes as of the latest updates.

Mitigation & Workarounds

The following mitigation and workaround measures are recommended, prioritized by severity:

Critical: Immediate application of all security patches issued by Oracle for EBS, specifically those addressing CVE-2025-61882. Organizations using Oracle EBS should verify that their systems are fully updated and that no unauthorized access has occurred.

High: Review and strengthen authentication processes, including mandatory multi-factor authentication (MFA) for all users, without exceptions for high-ranking officials or privileged accounts. Conduct a comprehensive audit of all privileged accounts and remove any unnecessary MFA exemptions.

High: Conduct organization-wide phishing awareness training to reduce the risk of social engineering attacks. Simulate phishing campaigns to test user resilience and reinforce best practices for credential security.

High: Implement robust monitoring and logging of all access to sensitive systems, including CRM, file repositories, and financial applications. Ensure that security information and event management (SIEM) solutions are configured to detect anomalous access patterns and potential data exfiltration.

Medium: Engage third-party cybersecurity experts to conduct a thorough forensic investigation following any suspected breach. Collaborate with law enforcement and regulatory authorities as required.

Medium: Review and update incident response plans to ensure rapid containment, investigation, and notification procedures are in place for future incidents.

Low: Communicate transparently with affected individuals and stakeholders, providing timely updates and guidance on steps they can take to protect themselves from potential misuse of their information.

References

University of Pennsylvania official FAQ: https://university-communications.upenn.edu/data-incident

BleepingComputer report: https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/

TechCrunch report: https://techcrunch.com/2025/11/05/university-of-pennsylvania-confirms-hacker-stole-data-during-cyberattack/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks in their vendor and partner ecosystems. Our platform enables continuous risk assessment, automated evidence collection, and actionable reporting to support incident response and compliance efforts. For questions about this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.