University of Pennsylvania Confirms New Data Breach via Clop’s Oracle EBS Zero-Day Campaign

Public Breach Analysis

The University of Pennsylvania (Penn) has officially confirmed a new data breach resulting from a cyberattack on its Oracle E-Business Suite (EBS) servers. This incident is part of the massive global campaign attributed to the Clop ransomware gang.

Incident Timeline & Scope:

• Infiltration: Attackers exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle EBS financial application as early as August 2025.
• Confirmation: Penn determined on November 11, 2025, that personal information was accessed without authorization.
• Impact: While the initial filing with the Maine Attorney General cites 1,488 affected individuals, the university admits the full scope is likely larger. The stolen data includes names and “other personal identifiers.”
• Attribution: While Penn has not named the attacker, the TTPs (Oracle EBS zero-day, timing, and targeting) align perfectly with the Clop gang’s mass-exploitation campaign, which has also hit Harvard University, Logitech, and The Washington Post.

Context: This is the second major breach for Penn in recent weeks. In late October 2025, the university disclosed a separate breach of its development and alumni systems, which exposed the data of 1.2 million individuals.

Key Cybersecurity Insights

This incident reinforces the critical threat posed by mass-exploitation campaigns targeting enterprise software:

• The “ERP” Target Shift: Clop has successfully pivoted from targeting file transfer appliances (MOVEit, GoAnywhere) to Enterprise Resource Planning (ERP) systems like Oracle EBS. These systems contain the financial and personnel “crown jewels” of an organization.
• Compound Breach Risk: Penn suffering two distinct breaches (Alumni systems vs. Oracle Finance systems) in a short window highlights the difficulty of securing a decentralized university environment with a massive attack surface.
• The “Silent” Extortion Phase: Clop has not yet listed Penn on its leak site. In ransomware negotiations, this silence often indicates that the victim is currently in negotiation or has paid a ransom to prevent publication.
• Zero-Day Exposure Gap: The breach occurred in August, but the vulnerability was widely disclosed and patched later. This “exploit gap” allowed attackers to harvest data from nearly 100 organizations before defenses could be raised.

Mitigation Strategies

In response to this ongoing campaign, higher education and enterprise sectors must take immediate action:

• Immediate Patching (Oracle EBS): Ensure the patches for CVE-2025-61882 are applied immediately. This is a critical vulnerability actively being hunted by ransomware groups.
• Isolate ERP Systems: Oracle EBS and similar financial platforms should not be directly accessible from the public internet. Restrict access via VPN and enforce Multi-Factor Authentication (MFA).
• Threat Hunting: Security teams should scan logs from August 2025 for anomalous data exfiltration from Oracle servers. Assume compromise if the system was internet-facing during that period.
• Defense-in-Depth: Relying on patch management alone is insufficient against zero-days. Implement network segmentation to ensure a breach of the ERP system does not grant access to other campus networks (like the alumni database).

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com