Redazione RHC : 15 October 2025 10:53
Harvard University has confirmed that it was hit by a recent campaign that exploited a vulnerability in Oracle’s E-Business Suite (EBS).
In a statement to Recorded Future News, the university said it was investigating recent hacker reports that data was stolen from the system. Officials confirmed that the incident “impacted a limited number of individuals associated with a small administrative unit.”
“Harvard is aware of reports that data associated with the University was obtained due to a zero-day vulnerability in the Oracle E-Business Suite system. This issue has impacted many Oracle E-Business Suite customers and is not unique to Harvard,” a university spokesperson said.
“After receiving Oracle’s report, we applied a patch to address the vulnerability. We continue to monitor and have no evidence of any other university systems being compromised.”
On Saturday, Harvard University was listed on the leak site of a Russian ransomware gang known as Clop , which for weeks has claimed to have stolen massive amounts of data by exploiting vulnerabilities in Oracle E-Business Suite, a popular business platform containing several applications for managing finance, human resources, and supply chain functions.
The FBI and cybersecurity officials in the United Kingdom confirmed reports from Google-owned security firm Mandiant that the campaign was linked to the exploitation of the vulnerability identified as CVE-2025-61882.
FBI Deputy Director Brett Leatherman stated that CVE-2025-61882 is a vulnerability that requires “immediately discontinuing operations and correcting the vulnerability.” This weekend, Oracle published a new advisory warning customers of another vulnerability, CVE-2025-61884, that could impact Oracle E-Business Suite.
The campaign against E-Business Suite began two weeks ago, when hackers claiming to be linked to Clop attempted to extort money from company executives by threatening to disclose sensitive information they claimed had been stolen through the platform. Oracle confirmed the campaign, but initially claimed the hackers were exploiting bugs fixed in a July update, without specifying which vulnerabilities had been exploited.
Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said he is aware of dozens of victims, but “it is expected that there will be many more . Based on the scale of previous CL0P campaigns, it is likely that there are more than a hundred,” he said.
Last week, Mandiant said that hackers likely chained together several separate vulnerabilities, including CVE-2025-61882, to gain access to the platform and “steal massive amounts of customer data.”
The FBI’s Leatherman said Oracle E-Business Suite customers should isolate potentially affected servers and monitor threat intelligence channels because “exploit activity could rapidly escalate.”
“Oracle EBS remains a critical ERP system for large enterprises and public sector environments, which means attackers have every incentive to exploit it quickly,” he explained. “If you suspect a compromise, please contact us.”
Cynthia Kaiser, a former deputy director of the FBI’s cyber division who now works for the incident response firm Halcyon, said the first email contact Clop observed began in late September.
“So far, we’ve received ransom demands in the seven- to eight-figure range,” Kaiser said of Clop’s ransom demands, adding that the hackers have shared screenshots and file tree listings to prove they’ve accessed the data.
Redazione