Harvard University has confirmed it was among several organizations targeted in a sophisticated cyberattack exploiting a zero-day vulnerability in Oracle’s E-Business Suite (EBS). The breach, linked to the Clop ransomware group, underscores the growing risk of supply-chain and enterprise software vulnerabilities being weaponized before patches are released.
Clop Exploits Oracle Flaw in Global Campaign
Harvard University on Thursday confirmed that it had fallen victim to a cyberattack that exploited a recently disclosed zero-day flaw in Oracle’s E-Business Suite (EBS) system. The vulnerability, tracked as CVE-2025-61882, allows remote attackers to access EBS instances without authentication.
The attack is part of a broader campaign orchestrated by the Clop ransomware group, which has previously targeted enterprise platforms and software supply chains. According to researchers at Google’s Threat Intelligence Group and Mandiant, Clop added Harvard’s name to its Dark Web leak site, claiming to have stolen data from a small administrative unit within the university.
Only Two Weeks Left: FCRF Invites Enrolment for Certified Cyber Law Practitioner (CCLP) Program
Oracle and cybersecurity analysts have confirmed that the same vulnerability was exploited in a string of intrusions dating back to July 2025, weeks before a patch became publicly available in August.
“The threat actors exploited what may be CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as August 9, with activity dating back to July 10,” researchers wrote in their analysis.
Oracle initially linked the incidents to older flaws patched earlier this year but later confirmed that the intrusions were connected to CVE-2025-61882, the newer zero-day exploit.
New Vulnerability Discovered, Warnings Escalate
In a fresh advisory issued on October 11, Oracle disclosed another EBS vulnerability, CVE-2025-61884, which affects versions 12.2.3 through 12.2.14 and is remotely exploitable without authentication. The company has “strongly urged” all customers to apply emergency updates immediately.
Cybersecurity experts have warned that the vulnerability could attract widespread exploitation, given Clop’s history of targeting enterprise systems.
“Given historical targeting and the recent Clop ransomware activity, threat actors are likely to express interest and attempt exploitation in the near future,” said Andres Ramos, Senior Threat Intelligence Researcher at Arctic Wolf, in a blog post.
In 2023, the same group carried out a MOVEit Transfer zero-day campaign, compromising more than 2,000 organizations globally, including financial institutions, government agencies, and universities.
Authorities in the U.S. and U.K., including the FBI, have issued warnings regarding exploitation of CVE-2025-61882. FBI Assistant Director Brett Leatherman described the bug as a “stop what you’re doing and patch immediately”vulnerability in a LinkedIn post.
Harvard’s Response and Ongoing Investigation
The Ivy League university said it applied Oracle’s patch shortly after the update was released and has found no evidence of further compromise to its broader network.
“Harvard is aware of reports that data associated with the university was obtained as a result of a zero-day vulnerability in Oracle’s E-Business Suite,” a spokesperson said. “This issue has impacted multiple Oracle EBS customers and is not specific to Harvard. While the investigation is ongoing, we believe the incident affects a limited number of parties within a small administrative unit.”
The university continues to monitor the situation closely and has not reported any operational disruptions.
Cybersecurity experts note that the incident highlights the continuing challenge of zero-day exploitation in enterprise environments, where widely used software platforms can become high-value targets. The campaign’s sophistication, they say, mirrors an evolution in ransomware tactics — from simple data encryption to stealthy extortion schemes leveraging global software supply chains.
Conclusion:
As investigations unfold, the Oracle zero-day attack and Harvard’s involvement mark another reminder of how deeply ransomware groups have infiltrated critical enterprise systems. With overlapping vulnerabilities now emerging in quick succession, experts warn that organizations running large-scale enterprise software must treat emergency patching as a matter of urgency — not maintenance.
