Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Hackers Compromise 62 Colleges via Campus ERP Platform

Hackers have managed to compromise 62 colleges and universities by exploiting a vulnerability in the Ellucian Banner system, the U.S. Department of Education warns.

Hackers have managed to compromise 62 colleges and universities by exploiting a vulnerability in the Ellucian Banner system, the U.S. Department of Education warns.

The vulnerability resides in Banner Web Tailor, a tool designed for registration, curriculum management, advising, administration, and reporting. It allows students to access and change their registration, graduation, and financial aid information. Ellucian Banner Enterprise Identity Services is also impacted. 

Tracked as CVE-2019-8978, the issue is triggered when SSO Manager is used as the authentication mechanism for Web Tailor. This could result in information disclosure and loss of data integrity for the impacted users, Joshua Mulliken explains in an advisory

The vulnerability was discovered in December 2018 and a patch has been available for a couple of months. Only Ellucian Banner Web Tailor versions 8.8.3, and 8.8.4, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4 are affected by the security flaw. 

Attackers targeting the vulnerability can steal a victim’s session and then log into the Banner system. The attackers would then be able to perform various operations, depending on the administrative privileges granted to the affected account. 

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation,” the Department of Education warns.

Once the attackers gain access to the system, they leverage scripts in the admissions or enrollment sections to create multiple student accounts, the alert reads. 

Affected institutions reported the creation of at least 600 fake or fraudulent student accounts within a 24-hour period. Over the course of multiple days, the attackers created thousands of fake student accounts, some of which were leveraged almost immediately for criminal activity. 

“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct. The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products,” Ellucian claims

The company notes that the attackers are utilizing bots to submit fraudulent admissions applications and to obtain institution email addresses through accessing application portals.

The company also notes that, while Banner Web Tailor 8.9 was also listed as affected by the vulnerability, it is not affected. Patches for the impacted software versions were released on May 14, 2019 and are included in all subsequent roll-up software releases, the company says. 

“There is no indication that student or institutional data has been compromised. The patched vulnerability is extremely difficult to exploit and unlikely to occur outside of a laboratory setting,” Ellucian says. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...