University of Phoenix and Baker University Join Growing List of Oracle EBS Breach Victims

Breached Company

Breached Company

14 min read
University of Phoenix and Baker University Join Growing List of Oracle EBS Breach Victims

As Cl0p's Higher Education Rampage Continues, Two More Institutions Face the Consequences of Enterprise Software Vulnerabilities

December 19, 2025

Executive Summary

The University of Phoenix and Baker University have become the latest educational institutions to confirm breaches stemming from the exploitation of CVE-2025-61882—the Oracle E-Business Suite zero-day that has devastated higher education throughout late 2024 and into 2025.

These incidents, affecting students, staff, faculty, and suppliers at both institutions, represent the ongoing fallout from what we've previously documented as one of the most significant supply chain attacks in cybersecurity history. While Ivy League schools bore the initial brunt of Cl0p's campaign, these new disclosures prove that institution size, prestige, or geography offers no protection against sophisticated zero-day exploitation.

What makes these particular breaches noteworthy is their timing—both occurred in late November through December 2024, weeks after Oracle released emergency patches in October—and their scope, with Baker University experiencing one of the most comprehensive data exposures in recent higher education incidents.

The Perfect Supply Chain Storm: How Cl0p’s Oracle Rampage Exposes the Hidden Vulnerabilities in Enterprise Software
When trusted software becomes the attack vector, organizations learn the hardest lesson in cybersecurity: You can do everything right and still lose everything. Related Coverage: * Oracle E-Business Suite Zero-Day Exploitation: Inside Cl0p’s Latest Mass Data Extortion Campaign * Clop Ransomware: Inside One of the World’s Most Dangerous Cybercrime Operations * American Airlines
Breached CompanyBreached Company

The University of Phoenix Incident: A Post-Patch Compromise

Discovery and Disclosure Timeline

The University of Phoenix breach carries particular significance because it occurred after Oracle's October 4, 2024 emergency patch release. On November 21, 2024, the Cl0p ransomware group added the university to its dark web leak site—a public shaming tactic the group uses to pressure victims into paying extortion demands.

According to BleepingComputer's reporting, the University of Phoenix confirmed that attackers exploited CVE-2025-61882 to access personal and financial data in the institution's Oracle E-Business Suite financial application environment. The university's parent company filed an 8-K with the Securities and Exchange Commission describing the security event and noting that review of impacted records was ongoing.

The Post-Patch Problem

What distinguishes this breach from earlier victims like Dartmouth College (compromised August 9-12, 2024) is the timeline. Oracle released its emergency patch on October 4, 2024. The University of Phoenix was added to Cl0p's leak site on November 21, 2024—nearly seven weeks after the patch became available.

This raises critical questions:

  • Did the university fail to apply the October patch in a timely manner?
  • Did the initial compromise occur before October with discovery delayed until November?
  • Were attackers already inside the environment before patching occurred, maintaining persistent access?
  • Did the university face deployment challenges with the emergency Oracle update?

The university has not publicly addressed these questions, though the timeline alone demonstrates the challenges institutions face in rapidly deploying emergency patches to complex enterprise systems.

What Was Compromised

The exposed data includes a devastating combination of personal and financial information:

  • Full names and contact information
  • Dates of birth
  • Social Security numbers
  • Banking details
  • Records belonging to students, staff, faculty, and suppliers

The university is currently reviewing the full scope of exposed records and preparing notifications to be sent via postal mail. Neither the total number of affected individuals nor additional details about the attackers have been publicly disclosed beyond the attribution to Cl0p.

Why Oracle EBS Was the Target

Oracle E-Business Suite environments typically support critical business functions including procurement, payroll, accounts payable, and student finance workflows. This consolidation of sensitive data makes EBS installations particularly attractive to threat actors conducting data theft extortion.

As Carl Froggett, CIO at Deep Instinct, explained to The Record: "Higher-education institutions were never built to function as full-scale cyber defense operations, yet they are expected to protect research, students, employees, and operational data from both known and unknown threats."

His warning extends beyond traditional security perimeters: "The attack surface is no longer just your environment; it is every environment you depend on."

Baker University: A Smaller Institution, Same Devastating Impact

The December 2024 Attack

Baker University's experience demonstrates that institution size provides no protection against sophisticated threat actors. In December 2024, the small Kansas liberal arts college discovered suspicious activity that resulted in a network outage—the first indication of a significant compromise.

The investigation revealed unauthorized access to certain systems between December 2 and December 19, 2024. Unlike larger institutions with dedicated security teams, Baker relied heavily on external cybersecurity experts to conduct incident response and rebuild compromised systems.

Scope of Exposed Information

The data potentially compromised at Baker University reads like a comprehensive identity theft toolkit:

  • Names and dates of birth
  • Driver's license numbers
  • Financial account information
  • Health insurance information
  • Medical information
  • Passport information
  • Social Security numbers
  • Student identification numbers
  • Tax identification numbers

Baker University President Jody Fournier addressed the breach directly: "The confidentiality, privacy, and security of our Baker community's personal information is one of our university's highest priorities. Our team has been working alongside an external team of experts at a cyber security firm since the incident and has rebuilt one of our primary platforms that was compromised during the cyber incident."

Response and Remediation

Baker is providing affected individuals with complimentary credit monitoring services and has implemented additional security measures to prevent similar incidents. The university is also notifying state and federal regulators, though officials noted there is currently no evidence of actual or attempted identity theft or fraud using the compromised data.

The institution has established a dedicated hotline (1-844-948-2042) for affected individuals to obtain more information.

Understanding CVE-2025-61882: The Vulnerability Enabling Mass Compromise

For readers unfamiliar with the technical details of this vulnerability, we've published comprehensive technical analysis of CVE-2025-61882 and the complete exploit chain used by Cl0p. The key facts:

Critical Severity: CVSS score of 9.8/10—near-maximum severity Attack Requirements: No authentication needed; exploitable over HTTP Affected Versions: Oracle E-Business Suite 12.2.3 through 12.2.14 Vulnerability Location: BI Publisher Integration component in Oracle Concurrent Processing

The exploit allowed attackers to:

  1. Bypass authentication through server-side request forgery (SSRF)
  2. Upload malicious XSLT templates to the XML Publisher
  3. Execute arbitrary code when templates were previewed
  4. Establish reverse shell connections to attacker infrastructure

As we detailed in our analysis of Dartmouth College's breach, this vulnerability enabled Cl0p to compromise organizations running vulnerable Oracle EBS versions without requiring any employee interaction or credential theft. The attack succeeded purely through technical exploitation of Oracle's code.

Timeline Context:

  • July 2024: Earliest reconnaissance activity detected
  • August 9, 2024: First confirmed exploitation (Dartmouth College)
  • October 4, 2024: Oracle releases emergency patch
  • November-December 2024: University of Phoenix and Baker University compromises discovered

Why Regional and For-Profit Universities Face Unique Challenges

While our coverage of the Ivy League breach epidemic explored why elite institutions became targets, the University of Phoenix and Baker University breaches highlight challenges facing institutions with different resource profiles:

The For-Profit University Security Challenge

The University of Phoenix, as one of the largest for-profit higher education institutions in the United States, faces unique operational realities:

How Safe Is My School? | Security Assessment Tool
Free assessment tool to evaluate your educational institution’s security posture and get actionable recommendations.
Education Security InitiativeEducation Security Experts

Read more