TL;DR
Harvard University confirmed that a recent data theft affecting a small administrative unit was linked to exploitation of a critical zero‑day in Oracle’s E‑Business Suite (CVE‑2025‑61882 and the follow‑on CVE‑2025‑61884). Attackers associated with the Cl0p ransomware gang exfiltrated about 1.3 TB of data and attempted extortion; security teams observed exploitation in the wild as early as August 2025. Oracle released emergency patches in October 2025. Organizations that run Oracle EBS should patch immediately, segment the ERP network, improve logging/monitoring, and review incident response plans for enterprise app breaches.
Full article
In mid‑October 2025, the University’s name appeared on a Cl0p ransomware leak site, accompanied by claims that more than a terabyte of data had been stolen. Harvard later acknowledged that a “limited number of parties” connected to a small administrative unit were affected. Security journalists and threat intelligence companies traced the intrusion to a previously unknown vulnerability in Oracle’s E‑Business Suite (EBS), a widely deployed enterprise resource planning platform. The flaw, assigned CVE‑2025‑61882, allows unauthenticated attackers to execute arbitrary code via the Concurrent Processing and BI Publisher components. Attackers used it as the initial access vector to harvest credentials, move laterally and stage data for exfiltration.
Indicators from Google’s Threat Intelligence Group and Mandiant suggest that intrusions leveraging CVE‑2025‑61882 began in late summer, with extortion emails referencing stolen Oracle data appearing by the end of September. Within days of Harvard’s disclosure, researchers uncovered a second EBS zero‑day (CVE‑2025‑61884) that adversaries were chaining with the first. Oracle responded by issuing emergency patches and urging customers running versions 12.2.3 through 12.2.14 to update immediately, noting the critical 9.8 CVSS score and unauthenticated nature of the exploits.
The attack chain appears to follow a familiar script: once the attackers gained code execution on the EBS server, they enumerated the environment and pivoted to locate sensitive databases and file stores. They then compressed and exfiltrated approximately 1.3 terabytes of administrative data before contacting Harvard to demand payment. Reports indicate the attackers dwelled for several weeks inside some victims’ networks before detection, underscoring weaknesses in monitoring around ERP systems. Although Harvard reported that the affected unit’s systems were isolated, the incident demonstrates that high‑value academic and corporate targets can be compromised through supply‑chain platforms like EBS.
This breach carries broader lessons. First, critical ERP platforms should not be exposed directly to the internet; traffic should be restricted to known application proxies or VPNs, and EBS modules should be segmented from the rest of the network. Second, organizations need robust logging across the application, middleware and operating system layers, with forwarding to a central SIEM for anomaly detection. Lateral movement and bulk data transfers should trigger alerts. Third, administrators should enforce least privilege within ERP systems and routinely audit roles and service accounts to reduce the blast radius. Finally, data loss prevention and egress monitoring controls are essential because a terabyte‑scale exfiltration may otherwise go unnoticed.
More broadly, the Harvard incident underscores the growing attention that ransomware and extortion groups are paying to enterprise application stacks. Many organizations assume their ERP vendors will handle security, but patching must be prioritized, and security controls must be layered. As threat actors diversify beyond file‑transfer systems into complex platforms like Oracle EBS, defenders should expand red‑team exercises to cover these surfaces and prepare crisis playbooks that include legal, communications and forensics considerations. By combining rapid patching, segmentation, monitoring and planning, organizations can reduce their risk from the next zero‑day targeting mission‑critical applications.
redsec.ninja 
Leave a comment