University of Phoenix Data Breach via Oracle E-Business Suite Exploit
The University of Phoenix disclosed a significant data breach after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, detected on November 21, 2025, resulted in unauthorized access to sensitive personal and financial information, including names, contact details, dates of birth, Social Security numbers, and bank account information of numerous current and former students, employees, faculty, and suppliers. The incident was revealed after the university was listed on the leak site of a prominent Russian extortion group, believed to be the Clop ransomware gang, which has targeted multiple U.S. educational institutions through the same Oracle EBS vulnerability.
The university's parent company, Phoenix Education Partners, filed a notice with the U.S. Securities and Exchange Commission (SEC), confirming the breach and stating that cybersecurity insurance would cover the response and remediation costs. While the attackers have not publicly disseminated the stolen data, the university is continuing its investigation and will notify affected individuals and regulatory entities. The breach is part of a broader campaign that has impacted other major universities, highlighting the risks associated with unpatched enterprise software vulnerabilities.
Related Entities
Threat Actors
Sources
Related Stories
University of Phoenix Data Breach Exposes 3.5 Million Records via Oracle EBS Exploit
University of Phoenix suffered a major data breach affecting approximately 3.5 million individuals, including students, staff, and suppliers, after attackers exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) financial application. The breach, attributed to the Clop ransomware gang, resulted in the exposure of sensitive personal and financial information such as names, contact details, dates of birth, Social Security numbers, and bank account information. The incident was discovered on November 21, 2025, several months after the initial compromise in August, highlighting significant gaps in the university’s security monitoring and detection capabilities. Following regulatory requirements, especially in Maine where over 9,000 residents were affected, the University of Phoenix issued formal notifications and offered complimentary identity theft protection services, including credit monitoring and fraud reimbursement. The breach has raised concerns about the adequacy of cybersecurity defenses in higher education and prompted the university to engage legal counsel and external experts to manage the response and notification process. The Clop ransomware group’s involvement and the exploitation of a critical Oracle EBS vulnerability underscore the evolving threat landscape facing educational institutions.
2 months agoUniversity of Pennsylvania Data Breach via Clop Exploitation of Oracle E-Business Suite
The University of Pennsylvania suffered a data breach after attackers exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), resulting in the theft of personal information from its systems. The Clop ransomware group is believed to be behind this attack, which targeted numerous Oracle EBS customers worldwide, including other Ivy League institutions such as Dartmouth College and Harvard University. The breach notification filed with Maine's Attorney General confirmed that at least 1,488 individuals were affected, though the total number of victims is likely higher. The university responded by patching its systems after Oracle released fixes and notified federal law enforcement. The attack was part of a broader campaign in which Clop exploited multiple vulnerabilities in Oracle EBS to steal large amounts of data from various organizations. The University of Pennsylvania only became aware of the breach after Oracle acknowledged the vulnerability and Clop began sending extortion emails to victim organizations. While the university has not disclosed the specific types of data stolen, it has stated that there is no evidence the information has been publicly disclosed or misused. The incident highlights the risks associated with unpatched enterprise software and the growing trend of ransomware groups exploiting zero-day vulnerabilities for data theft and extortion.
3 months agoOracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
5 months ago