Envoy Air, a regional subsidiary of American Airlines and its largest feeder carrier, has confirmed a cybersecurity breach linked to Oracle’s E-Business Suite—the result of yet another zero-day vulnerability exploited by the notorious Clop ransomware group. The incident, disclosed on October 17, 2025, highlights the growing risk associated with third-party enterprise software and cross-organizational impact when a critical flaw goes unpatched.
Although Envoy Air has stated that no sensitive customer or personally identifiable information was exposed, a limited set of business and commercial contact data may have been compromised. Investigations are ongoing, and law enforcement has been engaged.
Zero-Day Vulnerability in Oracle E-Business Suite Enabled Unauthenticated Remote Access
The breach stems from the exploitation of a critical zero-day vulnerability, now identified as CVE-2025-61882, in Oracle’s widely used E-Business Suite (EBS) platform. This remotely exploitable flaw enabled attackers to execute arbitrary code in affected systems without requiring authentication.
Oracle disclosed the vulnerability on October 6, 2025, after observing active exploitation in the wild. The flaw affects EBS versions 12.2.3 through 12.2.14. Oracle simultaneously released an emergency patch and published associated indicators of compromise (IOCs), including malicious IP addresses used in the attack infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) swiftly added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring its significance in ongoing ransomware operations.
The Clop ransomware group leveraged this vulnerability as part of a wider campaign first observed in August 2025, which has reportedly impacted hundreds of organizations worldwide, including heavyweights like Harvard University. According to Oracle, prompt patch application is the only effective mitigation.
Envoy Air Incident Misidentified as American Airlines Breach
Clop initially claimed American Airlines as a victim on its dark web leak site. However, subsequent disclosures clarified that the actual breach occurred at Envoy Air. This misidentification created confusion about the scope of the breach and raised concerns about data belonging to one of the world’s largest carriers. American Airlines redirected all media requests to Envoy Air, confirming that its systems were not impacted.
Envoy Air acknowledged the incident affected its Oracle EBS instance, which contained internal business information and commercial contact data. No core operational systems—including flight or ground handling operations—were impacted, and customer records remained untouched.
The ransomware group has reportedly begun leaking stolen data to pressure victims into paying for data suppression or deletion. Envoy Air has not indicated whether any ransom demands were made or considered.
Oracle Releases Multiple Emergency Patches to Address Exploit Chains
The October breach appears tied to a broader vulnerability exploitation trend targeting Oracle EBS platforms. In addition to CVE-2025-61882, Oracle also addressed another critical zero-day, tracked as CVE-2025-61884, which was exploited by another group known as ShinyHunters. This flaw also allowed unauthenticated access to corporate data and was patched on October 15.
Oracle has released corresponding emergency updates and emphasized that customers must stay on supported versions and apply all patches immediately. The company warned that failing to do so could leave systems vulnerable to exploit chains actively used by ransomware operators.
Recommendations for Enterprises Using Oracle EBS
Organizations using the Oracle E-Business Suite should take immediate action to safeguard their environments:
- Apply all critical patches, particularly for CVE-2025-61882 and CVE-2025-61884
- Review Oracle’s published IOCs and conduct internal network monitoring for corresponding activity
- Validate asset inventories to confirm EBS instance versions and ensure no unsupported versions are running
- Verify that security controls prevent unauthorized external access to EBS interfaces
Clop’s Targeting Pattern Suggests Focus on High-Value, Third-Party Entrypoints
This marks at least the third time in two years that a member of the American Airlines corporate family has been attacked by Clop, pointing to a sustained interest in aviation-linked enterprises. By exploiting third-party applications like Oracle EBS, attackers are bypassing direct defenses and accessing sensitive environments through broadly deployed software platforms.
Envoy Air’s case highlights the amplifying effect of third-party risk when core enterprise systems are compromised. While there is no evidence at this time that sensitive customer data or operational systems were affected, the incident serves as a stark reminder that even partial breaches carry reputational, legal, and operational consequences.
The broader Oracle EBS campaign is ongoing. With Oracle racing to close exploit paths and attackers continuing to scan for unpatched systems, time is of the essence for enterprise defenders to act.
Urgent Need to Prioritize Patching Oracle EBS
The Envoy Air breach, enabled by vulnerabilities in Oracle’s E-Business Suite, reinforces the urgent need for enterprises to prioritize patching, monitor for exploitation indicators, and actively manage third-party software risks. As ransomware groups like Clop concentrate their efforts on high-return enterprise software platforms, proactive defense is no longer optional—it’s imperative.
