Harvard University and Envoy have confirmed they were breached via zero-day vulnerability in Oracle’s E-Business Suite (EBS) products.
CVE-2025-61882 is a critical vulnerability (CVSS v3 9.8) in the BI Publisher Integration component in EBS applications. When exploited, it could enable an unauthenticated attacker to exploit Oracle Concurrent Processing via HTTP requests.
The zero-day vulnerability exploitation has been attributed to the Clop ransomware gang, known for targeting managed file transfer appliances.
According to Google Threat Intelligence Group (GTIG), the Clop ransomware gang began exploiting the zero-day vulnerability around August 9, 2025, or even as early as July 10, 2025. GTIG believes over 100 organizations have been compromised.
Harvard leaked data via Oracle’s E-Business Suite zero-day vulnerability
The Ivy League university confirmed that a threat actor compromised an administrative unit and exfiltrated data by exploiting the EBS zero-day vulnerability.
“Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system,” the University stated. “While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated with a small administrative unit.”
The breach surfaced after the Clop ransomware gang listed Harvard on its data leak site and claimed to have stolen 1.3 terabytes of data. However, the Ivy League institution has yet to attribute the exploitation of the zero-day vulnerability. Nevertheless, the cyber threat group has sent extortion emails threatening to publish data stolen from Oracle’s E-Business Suite systems.
“We have breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems,” Clop stated.
Meanwhile, Harvard says it has patched the zero-day vulnerability after Oracle released it and has detected no further threat actor activity on the impacted system and others.
“Upon receiving it from Oracle, we applied a patch to remediate the vulnerability. We are continuing to monitor and have no evidence of compromise to other University systems,” Harvard said.
Oracle had patched the application in July 2025, but was forced to release additional patches after discovering more security vulnerabilities.
The tech giant also silently patched another high-severity (CVSS v3 7.5) zero-day vulnerability in Oracle E-Business Suite applications, CVE-2025-61884, without disclosing whether it has been exploited.
“The Harvard breach tied to the Oracle EBS exploitation highlights a recurring truth: complexity is the adversary of security,” opined Anders Askasen, VP of Product Marketing, Radiant Logic. “When identity and data silos persist, visibility evaporates, and the ability to trace who has access to what becomes guesswork. Systems like Oracle EBS sit at the heart of enterprise operations – rich in sensitive HR and financial data, yet notoriously hard to govern across hybrid infrastructures.”
Envoy Air confirms data leak via Oracle’s E-Business Suite software
Envoy Air, a subsidiary of American Airlines, has confirmed it was a victim of the exploitation of the EBS zero-day vulnerability CVE-2025-61882.
Envoy learned of the breach after Clop listed American Airlines on its data leak site and linked it to the ongoing exploitation of Oracle’s E-Business Suite of applications.
“We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” the airlines stated.
Although some limited corporate data was compromised alongside business contact details, the American Airlines’ subsidiary says the data breach leaked no sensitive customer data. The regional airline has also notified law enforcement authorities.
“The Envoy Air incident is a reminder of the dependencies organizations have on large, interconnected business systems, and how much risk they entail,” said Shane Barney, Chief Information Security Officer at Keeper Security. “When attackers exploit a vulnerability in a widely used platform, like the Oracle system involved here, they’re not just breaching one company; they’re creating a ripple effect across every organization that relies on the same technology.”
Additionally, the data breach did not affect the Envoy’s or American Airlines’ internal IT infrastructure or disrupt their operations.
The Clop ransomware gang has built a notorious reputation for exploiting managed file transfer appliances, such as Cleo, MOVEit, Fortra, GoAnywhere, SolarWinds Serv-U, and Accellion.
