Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on Breached.Company →

As Cl0p’s Higher Education Rampage Continues, Two More Institutions Face the Consequences of Enterprise Software Vulnerabilities

December 19, 2025

Executive Summary

The University of Phoenix and Baker University have become the latest educational institutions to confirm breaches stemming from the exploitation of CVE-2025-61882—the Oracle E-Business Suite zero-day that has devastated higher education throughout late 2024 and into 2025.

These incidents, affecting students, staff, faculty, and suppliers at both institutions, represent the ongoing fallout from what we’ve previously documented as one of the most significant supply chain attacks in cybersecurity history. While Ivy League schools bore the initial brunt of Cl0p’s campaign, these new disclosures prove that institution size, prestige, or geography offers no protection against sophisticated zero-day exploitation.

What makes these particular breaches noteworthy is their timing—both occurred in late November through December 2024, weeks after Oracle released emergency patches in October—and their scope, with Baker University experiencing one of the most comprehensive data exposures in recent higher education incidents.

The Perfect Supply Chain Storm: How Cl0p’s Oracle Rampage Exposes the Hidden Vulnerabilities in Enterprise SoftwareWhen trusted software becomes the attack vector, organizations learn the hardest lesson in cybersecurity: You can do everything right and still lose everything. Related Coverage: * Oracle E-Business Suite Zero-Day Exploitation: Inside Cl0p’s Latest Mass Data Extortion Campaign * Clop Ransomware: Inside One of the World’s Most Dangerous Cybercrime Operations * American AirlinesBreached CompanyBreached Company

The University of Phoenix Incident: A Post-Patch Compromise

Discovery and Disclosure Timeline

The University of Phoenix breach carries particular significance because it occurred after Oracle’s October 4, 2024 emergency patch release. On November 21, 2024, the Cl0p ransomware group added the university to its dark web leak site—a public shaming tactic the group uses to pressure victims into paying extortion demands.

According to BleepingComputer’s reporting, the University of Phoenix confirmed that attackers exploited CVE-2025-61882 to access personal and financial data in the institution’s Oracle E-Business Suite financial application environment. The university’s parent company filed an 8-K with the Securities and Exchange Commission describing the security event and noting that review of impacted records was ongoing.

The Post-Patch Problem

What distinguishes this breach from earlier victims like Dartmouth College (compromised August 9-12, 2024) is the timeline. Oracle released its emergency patch on October 4, 2024. The University of Phoenix was added to Cl0p’s leak site on November 21, 2024—nearly seven weeks after the patch became available.

This raises critical questions:

  • Did the university fail to apply the October patch in a timely manner?
  • Did the initial compromise occur before October with discovery delayed until November?
  • Were attackers already inside the environment before patching occurred, maintaining persistent access?
  • Did the university face deployment challenges with the emergency Oracle update?

The university has not publicly addressed these questions, though the timeline alone demonstrates the challenges institutions face in rapidly deploying emergency patches to complex enterprise systems.

What Was Compromised

The exposed data includes a devastating combination of personal and financial information:

  • Full names and contact information
  • Dates of birth
  • Social Security numbers
  • Banking details
  • Records belonging to students, staff, faculty, and suppliers

The university is currently reviewing the full scope of exposed records and preparing notifications to be sent via postal mail. Neither the total number of affected individuals nor additional details about the attackers have been publicly disclosed beyond the attribution to Cl0p.

Why Oracle EBS Was the Target

Oracle E-Business Suite environments typically support critical business functions including procurement, payroll, accounts payable, and student finance workflows. This consolidation of sensitive data makes EBS installations particularly attractive to threat actors conducting data theft extortion.

As Carl Froggett, CIO at Deep Instinct, explained to The Record: “Higher-education institutions were never built to function as full-scale cyber defense operations, yet they are expected to protect research, students, employees, and operational data from both known and unknown threats.”

His warning extends beyond traditional security perimeters: “The attack surface is no longer just your environment; it is every environment you depend on.”

Baker University: A Smaller Institution, Same Devastating Impact

The December 2024 Attack

Baker University’s experience demonstrates that institution size provides no protection against sophisticated threat actors. In December 2024, the small Kansas liberal arts college discovered suspicious activity that resulted in a network outage—the first indication of a significant compromise.

The investigation revealed unauthorized access to certain systems between December 2 and December 19, 2024. Unlike larger institutions with dedicated security teams, Baker relied heavily on external cybersecurity experts to conduct incident response and rebuild compromised systems.

Scope of Exposed Information

The data potentially compromised at Baker University reads like a comprehensive identity theft toolkit:

  • Names and dates of birth
  • Driver’s license numbers
  • Financial account information
  • Health insurance information
  • Medical information
  • Passport information
  • Social Security numbers
  • Student identification numbers
  • Tax identification numbers

Baker University President Jody Fournier addressed the breach directly: “The confidentiality, privacy, and security of our Baker community’s personal information is one of our university’s highest priorities. Our team has been working alongside an external team of experts at a cyber security firm since the incident and has rebuilt one of our primary platforms that was compromised during the cyber incident.”

Response and Remediation

Baker is providing affected individuals with complimentary credit monitoring services and has implemented additional security measures to prevent similar incidents. The university is also notifying state and federal regulators, though officials noted there is currently no evidence of actual or attempted identity theft or fraud using the compromised data.

The institution has established a dedicated hotline (1-844-948-2042) for affected individuals to obtain more information.

Understanding CVE-2025-61882: The Vulnerability Enabling Mass Compromise

For readers unfamiliar with the technical details of this vulnerability, we’ve published comprehensive technical analysis of CVE-2025-61882 and the complete exploit chain used by Cl0p. The key facts:

Critical Severity: CVSS score of 9.8/10—near-maximum severity Attack Requirements: No authentication needed; exploitable over HTTP Affected Versions: Oracle E-Business Suite 12.2.3 through 12.2.14 Vulnerability Location: BI Publisher Integration component in Oracle Concurrent Processing

The exploit allowed attackers to:

  • Bypass authentication through server-side request forgery (SSRF)
  • Upload malicious XSLT templates to the XML Publisher
  • Execute arbitrary code when templates were previewed
  • Establish reverse shell connections to attacker infrastructure

As we detailed in our analysis of Dartmouth College’s breach, this vulnerability enabled Cl0p to compromise organizations running vulnerable Oracle EBS versions without requiring any employee interaction or credential theft. The attack succeeded purely through technical exploitation of Oracle’s code.

Timeline Context:

  • July 2024: Earliest reconnaissance activity detected
  • August 9, 2024: First confirmed exploitation (Dartmouth College)
  • October 4, 2024: Oracle releases emergency patch
  • November-December 2024: University of Phoenix and Baker University compromises discovered

Why Regional and For-Profit Universities Face Unique Challenges

While our coverage of the Ivy League breach epidemic explored why elite institutions became targets, the University of Phoenix and Baker University breaches highlight challenges facing institutions with different resource profiles:

The For-Profit University Security Challenge

The University of Phoenix, as one of the largest for-profit higher education institutions in the United States, faces unique operational realities:

How Safe Is My School? | Security Assessment ToolFree assessment tool to evaluate your educational institution’s security posture and get actionable recommendations.Education Security InitiativeEducation Security Experts Distributed Operations: With campus locations nationwide and extensive online enrollment, the attack surface is significantly larger than traditional residential universities. Every student services portal, financial aid system, and learning management platform represents a potential entry point.

Corporate Oversight Requirements: As a publicly traded company (through its parent), the University of Phoenix faces SEC disclosure obligations that smaller private institutions don’t encounter. The 8-K filing requirement means breaches become public faster and with more detail about financial impacts.

Legacy System Complexity: For-profit education companies often grew rapidly through acquisitions and mergers, inheriting disparate technology stacks that create integration challenges and security gaps. The University of Phoenix has acquired numerous smaller institutions over the years, each bringing their own systems into the enterprise environment.

The Small Liberal Arts College Dilemma

Baker University’s experience illustrates challenges facing smaller residential institutions:

Limited Security Budgets: With approximately 2,500 students, Baker operates on a fundamentally different resource base than Harvard or even large state universities. Every dollar spent on cybersecurity competes directly with faculty salaries, academic programs, and student services.

External Dependency: Baker’s statement emphasized they were “working alongside an external team of experts at a cyber security firm” rather than relying on internal capabilities. This outsourced model is common among smaller institutions but creates coordination challenges during incident response.

Extended Breach Window: The December 2-19, 2024 compromise window (17 days) suggests either sophisticated attacker operational security or limited internal monitoring capabilities that delayed detection. Compare this to larger institutions with 24/7 security operations centers that might detect anomalies within hours.

Comprehensive Data Exposure: The range of compromised data types at Baker—including driver’s licenses, medical information, passport data, and tax IDs—suggests attackers accessed multiple interconnected systems rather than a single database. This indicates either weak network segmentation or extensive lateral movement capabilities.

The Cl0p Campaign Context: Why These Breaches Fit a Proven Pattern

For readers wanting to understand how these university breaches fit into Cl0p’s broader operations, we’ve published a comprehensive profile of the Cl0p ransomware operation, covering their evolution from traditional ransomware to mass data extortion through zero-day exploitation.

The Oracle EBS campaign follows Cl0p’s established methodology:

  • Target widely deployed enterprise software with large install bases
  • Exploit zero-day vulnerabilities before patches are available
  • Compromise as many organizations as possible during the vulnerability window
  • Exfiltrate data without deploying ransomware encryption
  • Wait weeks or months before beginning extortion to maximize data theft
  • Post victims to leak sites to pressure payment

This playbook generated an estimated $75-100 million for Cl0p during their 2023 MOVEit campaign, which compromised over 2,773 organizations. The Oracle EBS campaign represents the same strategy applied to a different widely-deployed enterprise platform.

The higher education sector has proven particularly vulnerable to these campaigns for reasons we’ve explored in detail in our analysis of the Ivy League breach epidemic, including legacy infrastructure, resource constraints, and the challenge of balancing academic openness with security requirements.

The Supply Chain Dimension: When Trusted Software Betrays You

As we explored in depth in our analysis of Dartmouth’s breach, the Oracle EBS campaign represents a nightmare scenario: “You can do everything right and still lose everything.”

Neither the University of Phoenix nor Baker University made obvious security mistakes. No employee clicked a phishing link. No weak password enabled initial access. No misconfigured firewall created an opening. Instead, attackers exploited a vulnerability in Oracle’s code—software both institutions relied on for critical business operations.

This highlights the fundamental challenge of supply chain security in 2025:

Third-Party Software Risk Is Unavoidable: Organizations running enterprise software from Oracle, SAP, Microsoft, or any major vendor accept inherent risk that vulnerabilities in vendor code will create exposure, regardless of the organization’s internal security posture.

Zero-Day Windows Create Total Vulnerability: During the July-October 2024 window before Oracle’s patch, every organization running affected EBS versions was vulnerable regardless of their security investments. No amount of employee training, endpoint protection, or network monitoring could prevent exploitation.

Patch Deployment Challenges Extend Risk: Even after Oracle released the October 4 patch, organizations faced complex deployment decisions. Emergency patches to business-critical financial systems require testing, change management, and carefully planned deployment windows—all of which extend the vulnerability window.

Vendor Transparency Remains Limited: Oracle initially suggested the attacks leveraged vulnerabilities from the July Critical Patch Update before later acknowledging CVE-2025-61882. This messaging confusion complicated incident response for affected organizations trying to understand their exposure.

International Context: Australian Universities Face Similar Crisis

The Oracle EBS breaches affecting American universities occurred against the backdrop of a devastating series of attacks on Australian higher education institutions. Our detailed coverage of Western Sydney University’s October 2025 breach documented how that institution experienced multiple compromises throughout 2024-2025, exposing tax file numbers, bank account details, passport information, health records, and other highly sensitive data.

The University of Sydney also recently disclosed that attackers accessed historical personal data on approximately 27,000 individuals stored in online code repositories—demonstrating that data sprawl creates exposure even outside primary operational systems.

Key Parallel Lessons:

  • Testing Data Exposure: Both Sydney and the Oracle EBS victims struggled with sensitive data existing in unexpected locations (code repositories vs. financial systems)
  • Persistence of Attacks: Western Sydney faced continued targeting even after arrests and security improvements
  • Multiple Attack Vectors: Universities face simultaneous threats from insider attacks, opportunistic scanning, targeted campaigns, and supply chain compromises
  • Resource Asymmetry: Determined attackers with nation-state or organized crime backing can outlast and outmaneuver university security teams

Notification Requirements

Both the University of Phoenix and Baker University face complex notification obligations under federal and state breach notification laws.

The University of Phoenix must comply with:

  • FERPA (Family Educational Rights and Privacy Act) for student education records
  • State breach notification laws in all states where affected individuals reside
  • SEC disclosure requirements as a publicly traded company
  • GLBA (Gramm-Leach-Bliley Act) for financial information
  • Potential HIPAA obligations if health information was exposed

Baker University faces similar requirements, though as a smaller private institution, some obligations differ.

Potential Litigation

Universities experiencing data breaches typically face:

  • Class action lawsuits from affected students and employees
  • Regulatory investigations from state attorneys general
  • Shareholder lawsuits (for publicly traded institutions)
  • Increased scrutiny from accreditation bodies

The University of Phoenix, in particular, may face significant shareholder pressure given its public company status and previous regulatory challenges.

The CISA Question

The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance requiring critical infrastructure entities to report significant cyber incidents within specific timeframes. While universities don’t typically qualify as critical infrastructure, the scale and sensitivity of these breaches may trigger reporting obligations.

What Affected Individuals Should Do

Immediate Actions

If you’ve received notification from the University of Phoenix, Baker University, or any institution affected by the Oracle EBS campaign, security experts recommend:

1. Monitor Financial Accounts Closely

  • Review bank statements weekly for unauthorized transactions
  • Set up transaction alerts for unusual activity
  • Consider freezing accounts if suspicious activity appears

2. Request Credit Reports

  • Obtain free reports from Equifax, Experian, and TransUnion at annualcreditreport.com
  • Review for accounts you didn’t open or inquiries you didn’t authorize
  • Check reports every four months (rotating between bureaus)

3. Consider Credit Freezes

  • Place security freezes on credit reports at all three major bureaus
  • This prevents new accounts from being opened in your name
  • Free under federal law following data breaches
  • Can be temporarily lifted when you need to apply for credit

4. Enable Fraud Alerts

  • Initial fraud alerts last one year and are free
  • Extended fraud alerts (for identity theft victims) last seven years
  • Requires businesses to verify identity before extending credit

5. Take Advantage of Offered Services

  • Enroll in any credit monitoring services provided by the institution
  • These typically include identity theft insurance and restoration services
  • Even if you’re skeptical, the coverage can prove valuable if fraud occurs

Long-Term Vigilance

Because Social Security numbers don’t change and can be used for identity theft years after a breach:

  • Review credit reports regularly even after monitoring services expire
  • Remain alert to phishing attempts that reference the university or breach
  • Monitor IRS communications for signs of tax-related identity theft
  • Consider identity theft protection services as an ongoing investment
  • File taxes early to prevent fraudulent returns in your name

Special Concerns for Students

Current and former students should additionally:

  • Monitor student loan accounts for unauthorized changes
  • Verify financial aid information hasn’t been altered
  • Check academic records for suspicious access or modifications
  • Be cautious of scholarship scams that exploit breach news

What Universities Should Do Now

For institutions running Oracle E-Business Suite or other enterprise software with known vulnerabilities, immediate action is required:

Emergency Response Priorities

1. Patch Verification

  • Confirm Oracle EBS patches from October 4, 2024 are deployed
  • Review patch deployment logs for any failed or incomplete updates
  • Scan for any Oracle EBS instances that may have been missed in initial patching

2. Threat Hunting

  • Search for Oracle-provided indicators of compromise in system logs
  • Look for HTTP requests to /OA_HTML/SyncServlet and /OA_HTML/RF.jsp
  • Check for outbound connections to known attacker infrastructure (200.107.207.26, 185.181.60.11)
  • Review XSLT template creation logs for suspicious entries

3. Access Review

  • Audit administrative access to financial systems
  • Review user account creation in Oracle EBS environments post-August 2024
  • Examine data export activities from payroll and student finance modules

Strategic Investments

For comprehensive guidance on defending against supply chain attacks and zero-day exploitation, see our detailed analysis in the Dartmouth article, which covers:

  • Zero trust architecture implementation
  • Network segmentation strategies
  • Security operations center development
  • Incident response capability building
  • Vendor risk management programs

The key insight from both the University of Phoenix and Baker University incidents: rapid patch deployment capabilities are non-negotiable for organizations running enterprise software. The window between vulnerability disclosure and active exploitation continues to shrink, making emergency patch deployment a core operational capability rather than an occasional disruption.

Conclusion: The Long Tail of Supply Chain Vulnerabilities

The University of Phoenix and Baker University breaches demonstrate that the Oracle EBS campaign’s impacts extend far beyond the initial wave of Ivy League compromises in August-October 2024. As we move into 2025, institutions are still discovering they were affected—either through delayed detection, extended attacker dwell time, or failures to patch vulnerable systems quickly enough.

Several critical realities emerge from these incidents:

Vulnerability Windows Extend Beyond Patches: The University of Phoenix breach occurring weeks after Oracle’s October 4 patch proves that simply releasing a fix doesn’t immediately protect the ecosystem. Organizations face deployment challenges, testing requirements, and change management processes that extend vulnerability windows.

Institution Size Offers No Protection: From Baker University (2,500 students) to the University of Phoenix (over 100,000 students), from Dartmouth College to the Washington Post, Cl0p’s campaign demonstrated that enterprise software vulnerabilities create exposure across organizations of all sizes and sectors.

Data Exposure Ranges from Targeted to Comprehensive: Baker University’s exposure of medical records, passport information, and health insurance data alongside traditional PII represents one of the most comprehensive breaches in this campaign, while other institutions saw more limited data access.

The Regulatory Reckoning Continues: Universities will spend months or years managing breach notifications, regulatory reporting, credit monitoring programs, potential litigation, and reputation recovery—all while still operating the same enterprise software that enabled the original compromise.

For readers seeking to understand how these breaches fit into the broader threat landscape, we recommend:

The Oracle EBS campaign will eventually end—new vulnerabilities will emerge, Cl0p will pivot to new targets, and the security industry will move on to the next crisis. But for the students, staff, faculty, and suppliers whose Social Security numbers, banking details, and personal information were exposed at the University of Phoenix and Baker University, the consequences will persist for years.

That’s the real cost of supply chain vulnerabilities: not the breach notifications or the security improvements or the regulatory fines, but the permanent exposure of personal information that cannot be recalled, cannot be changed, and will remain valuable to criminals indefinitely.

Additional Resources

For Affected Individuals

  • Baker University Hotline: 1-844-948-2042 (Monday-Friday, 9:00 AM - 9:00 PM ET)
  • Free Credit Reports: www.annualcreditreport.com or 1-877-322-8228
  • FTC Identity Theft Resources: identitytheft.gov

Technical References

This article is part of our ongoing coverage of the Oracle E-Business Suite breach campaign. Information is current as of December 19, 2025. For the latest developments, see our comprehensive Oracle EBS campaign coverage.