Harvard Hit in Oracle Zero-Day Ransomware Attack

Harvard University has confirmed it was breached in a ransomware attack exploiting a critical zero-day vulnerability in Oracle's E-Business Suite (EBS), tracked as CVE-2025-61882. The Clop ransomware group has claimed responsibility, adding Harvard to its leak site as part of a broader campaign targeting Oracle customers.

The vulnerability allows unauthenticated remote access to EBS instances. According to Harvard, only a small administrative unit was affected, and no further compromise of other systems has been detected. The university applied Oracle’s emergency patch once it became available and continues to monitor for suspicious activity.

“This issue has impacted many Oracle EBS customers and is not specific to Harvard,” the university told Dark Reading. U.S. and U.K. authorities have issued urgent warnings about the flaw, with FBI Assistant Director Brett Leatherman calling it a "stop what you’re doing and patch immediately" situation.

Google’s Threat Intelligence Group and Mandiant report that Clop’s campaign began in late July 2025, with confirmed exploit activity starting August 9—weeks before Oracle released a patch. Initial investigations had linked the breach to older vulnerabilities, but Oracle has since confirmed CVE-2025-61882 as the root cause.

On October 11, Oracle also disclosed a second critical flaw—CVE-2025-61884—impacting EBS versions 12.2.3 to 12.2.14. Like the previous bug, it is remotely exploitable without authentication. While it’s unclear if it has been exploited yet, cybersecurity firms warn that active attacks may be imminent.

Clop has a history of zero-day exploits, including its 2023 campaign against Progress Software’s MOVEit Transfer, which impacted around 2,000 organizations. Experts are urging organizations using Oracle EBS to apply patches immediately to prevent further breaches.