Harvard University Breach Tied to Oracle E-Business Suite Zero-Day: What We Know and How to Respond

Introduction: What happened and why it matters

Harvard University has confirmed it was affected by a broader cyber campaign exploiting a zero-day in Oracle’s E-Business Suite (EBS). The CL0P extortion group claims to have exfiltrated ~1.3 TB of Harvard data and has posted samples on its leak site. While Harvard says the exposure involves a limited set of parties within a small administrative unit, the campaign itself is significant: it targets a widely deployed enterprise platform and involved exploitation before patches were available.

In brief

• Victim: Harvard University (first publicly confirmed victim in the EBS campaign).
• Threat actor: CL0P (data-theft and extortion; not necessarily ransomware encryption).
• Vector: Oracle EBS zero-day later assigned CVE-2025-61882; a second unauthenticated flaw CVE-2025-61884 was also disclosed shortly after.
• Timeline: Exploitation observed as early as August 9, 2025; emergency patches released in October 2025; Harvard confirmation and leak claims surfaced October 14–15, 2025.
• Data exposure: CL0P claims ~1.3 TB; scope at Harvard described as limited by the university.

Campaign context and history

Google’s Threat Intelligence team reports a months-long intrusion campaign against Oracle EBS customers, with suspicious activity dating back to July 10, 2025 and confirmed zero-day exploitation starting August 9—well before Oracle issued security alerts. This aligns with CL0P’s pattern of abusing third-party or enterprise platforms at scale, followed by coordinated extortion. Oracle has since issued multiple security alerts and patches as the situation evolved.

Media and industry outlets subsequently identified Harvard as the first confirmed victim, with over 1 TB allegedly posted by the attackers. Harvard stated that the incident impacted a limited number of parties connected to a small administrative unit, indicating segmentation and/or containment reduced blast radius.

Technical analysis: CVE-2025-61882 and CVE-2025-61884

• CVE-2025-61882 (Oracle E-Business Suite):
  Oracle classifies this as remotely exploitable without authentication and warns that successful exploitation can lead to remote code execution. Public reporting ties attacker activity and the Harvard breach to exploitation of this vulnerability before patches were available (a classic n-day to zero-day pivot once disclosed).
• CVE-2025-61884 (Oracle E-Business Suite):
  Disclosed shortly after 61882, 61884 also allows unauthenticated access to sensitive data across EBS 12.2.3–12.2.14, increasing urgency for comprehensive patching across supported 12.2.x branches. While attribution of Harvard’s compromise centers on 61882, organizations should treat both as high-risk in the same operational window.
• Tradecraft and TTPs (inferred from reporting):
  Attackers likely leveraged unauthenticated HTTP access paths into EBS components, followed by credential and data access expansion and bulk exfiltration. Google notes substantial pre-attack recon and multi-week dwell time preceding extortion emails—consistent with CL0P’s prior large-scale data-theft operations.

Practical consequences and risks

• Data exposure at scale: Bulk exfiltration (terabyte-scale) suggests access to document repositories, exports, reports, or integrated data marts connected to EBS. For universities, this may include vendor, finance/procurement, HR or grant-related records depending on module usage and integration posture. (Harvard has not detailed specific datasets; the university emphasizes limited scope.)
• Extortion without encryption: As in prior CL0P campaigns, the focus is data theft and pressure via public shaming/leak sites rather than ransomware encryption, lowering detection likelihood and complicating response timelines.
• Supply-chain spillover: Institutions sharing Oracle EBS integrations or managed service providers could face secondary exposure if credentials, tokens, or data pipes were accessed.

What to do now: Actionable recommendations

1. Patch immediately:
   • Apply the latest Oracle EBS Security Alerts for CVE-2025-61882 and CVE-2025-61884 across all 12.2.x instances, including non-production and DR environments. Confirm successful deployment and restart requirements.
2. Harden EBS perimeter:
   • Eliminate direct internet exposure of EBS where possible; place behind VPN/ZTNA, enforce IP allow-listing, and require SSO with MFA for all administrative and integration users.
   • Restrict and monitor BI Publisher/Concurrent Processing endpoints and any custom servlets.
3. Threat-hunt for historical compromise:
   • Because exploitation predates patches, search logs back to July 2025 for anomalous requests to EBS URLs, unusual concurrent program invocations, web-tier shells, large outbound transfers, or atypical report generation jobs.
   • Correlate with proxy, WAF, and egress telemetry for multi-GB exfiltration spikes.
4. Credential and token hygiene:
   • Rotate application accounts, integration credentials, SSH keys, SSO secrets, and invalidate long-lived session cookies.
   • Audit EBS responsibilities/roles for privilege creep and disable dormant accounts.
5. Data-loss controls:
   • Implement DLP on egress, enforce TLS inspection where policy permits, and rate-limit/report mass downloads from EBS report endpoints and attachments.
6. Incident response & legal:
   • Preserve forensics, consult counsel on notification obligations, and prepare comms for stakeholders potentially present in EBS-connected datasets.
7. Third-party review:
   • If EBS is hosted or managed by a partner, obtain attestation of patching, hardening, and log retention, and request indicators of compromise (IOCs) specific to your tenant.

How this differs from earlier CL0P waves

Unlike CL0P’s 2023–2024 mass-exploitation of managed file-transfer products, this campaign targets core ERP functionality (EBS), which often sits deep in finance/HR workflows with rich data and numerous integrations. The zero-day lead time and the presence of two unauthenticated flaws in short succession raise the stakes for enterprises reliant on Oracle EBS and increase the likelihood of multi-tenant, multi-victim impact.

Summary / key takeaways

• Harvard confirms involvement in the Oracle EBS zero-day campaign; CL0P claims ~1.3 TB stolen. Scope at Harvard is described as limited but still under investigation.
• Exploitation likely began weeks before patches, necessitating retroactive threat hunting.
• Patch CVE-2025-61882 and CVE-2025-61884 now, lock down exposure, and monitor/report exfiltration.

Sources / bibliography

1. Oracle Security Alert — CVE-2025-61882 (Oracle E-Business Suite). (Oracle)
2. Oracle Security Alert — CVE-2025-61884 (Oracle E-Business Suite). (Oracle)
3. Google Cloud Threat Intelligence — Oracle E-Business Suite Zero-Day Exploitation (campaign timeline and analysis). (Google Cloud)
4. SecurityWeek — Harvard Is First Confirmed Victim of Oracle EBS Zero-Day Hack (1 TB+ data claim). (SecurityWeek)
5. Recorded Future News (The Record) — Harvard says ‘limited number of parties’ impacted… (scope statement). (The Record from Recorded Future)