Harvard says ‘limited number of parties’ impacted by breach linked to Oracle zero-day

Harvard University confirmed that it was impacted by a recent campaign that exploited a vulnerability involving Oracle’s E-Business Suite (EBS) system.

In a statement to Recorded Future News, the university said it is investigating recent claims from hackers that data was stolen from the system.  Officials confirmed that the incident “impacts a limited number of parties associated with a small administrative unit.”

“Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system. This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard,” a university spokesperson said. 

“Upon receiving it from Oracle, we applied a patch to remediate the vulnerability. We are continuing to monitor and have no evidence of compromise to other University systems.”

On Saturday, Harvard University was listed on the leak site of a Russian ransomware gang known as Clop, which has claimed for weeks that it stole troves of data through vulnerabilities in the Oracle E-Business Suite — a popular business platform containing several applications that manage finance, human resources and supply chain functions.

The FBI and cybersecurity officials in the U.K. confirmed reports from Google-owned security firm Mandiant that the campaign was tied to exploitation of the vulnerability tracked as CVE-2025-61882. 

FBI Assistant Director Brett Leatherman said CVE-2025-61882 is a “‘stop-what-you’re-doing and patch immediately’ vulnerability.” This weekend, Oracle released a new advisory warning customers of another vulnerability, CVE-2025-61884, impacting the Oracle E-Business Suite. 

The campaign against the E-Business Suite began two weeks ago when threat actors claiming to be tied to Clop attempted to extort corporate executives by threatening to leak sensitive information they claim was stolen through the platform. Oracle confirmed the campaign but initially said the hackers were exploiting bugs that had been addressed in a July update, without specifying which vulnerabilities were being used. 

Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said they are aware of dozens of victims, but “expect there are many more.” 

“Based on the scale of previous CL0P campaigns, it is likely there are over a hundred," he said. 

Mandiant said last week that the hackers likely chained together multiple distinct vulnerabilities, including CVE-2025-61882, to gain access to the platform and “steal mass amounts of customer data.”

The FBI’s Leatherman said that Oracle E-Business Suite customers should isolate potentially affected servers and monitor threat intelligence channels because “exploit activity could escalate quickly.”

“Oracle EBS remains a backbone ERP system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he explained. “If you suspect compromise - please connect with us.”

Cynthia Kaiser, former Deputy Director of the FBI’s Cyber Division who now works for incident response firm Halcyon, said the first observed email contact from Clop began in late September. 

“We have seen seven and eight figure demands thus far,” Kaiser said of Clop’s ransom demands, adding that the hackers shared screenshots and filetree listings to prove they had accessed data.