Envoy Air, a subsidiary of American Airlines, fell victim to a cyberattack executed by the Cl0p ransomware group, exploiting a vulnerability in Oracle E-Business Suite applications. While the company confirmed that no sensitive or customer data was compromised, a limited amount of business information and commercial contact details may have been exposed. The attack was part of a broader campaign targeting Oracle’s widely used enterprise software, affecting multiple organizations globally. Envoy Air is actively investigating the incident in coordination with law enforcement. Experts warn that the exploitation window spanning nearly three months (July to October 2025) allowed threat actors to exfiltrate large volumes of data from unpatched systems. The attack underscores risks tied to third-party dependencies, operational disruptions, and potential long-term erosion of public trust. Google’s threat intelligence suggests over 100 organizations could be impacted, with many possibly unaware of their compromise during the zero-day period. Patches for the vulnerabilities (CVE-2025-61882, CVE-2025-61884) were released in October 2025, but delayed mitigation may have exacerbated exposure.
TPRM report: https://www.rankiteo.com/company/envoyair
"id": "env1533115102225",
"linkid": "envoyair",
"type": "Ransomware",
"date": "5/2025",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Aviation',
'location': 'United States',
'name': 'Envoy Air',
'type': 'Subsidiary (Airline)'}],
'attack_vector': ['Exploitation of Oracle E-Business Suite Zero-Day '
'Vulnerability (CVE-2025-61882, CVE-2025-61884)'],
'customer_advisories': ['No sensitive or customer data was affected; limited '
'business information may have been compromised.'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': ['Low (No Sensitive or Customer Data '
'Confirmed)'],
'type_of_data_compromised': ['Business Information',
'Commercial Contact Details']},
'description': 'Envoy Air, a subsidiary of American Airlines, experienced a '
'cyberattack linked to a campaign targeting Oracle E-Business '
'Suite applications. The Cl0p ransomware group claimed '
'responsibility. While no sensitive or customer data was '
'confirmed compromised, a limited amount of business '
'information and commercial contact details may have been '
'exposed. The attack is part of a broader campaign exploiting '
'a zero-day vulnerability in Oracle E-Business Suite, with '
'experts warning that over 100 organizations may be affected. '
'Envoy Air is investigating and cooperating with law '
'enforcement.',
'impact': {'brand_reputation_impact': ['Erosion of Public Trust'],
'data_compromised': ['Business Information',
'Commercial Contact Details'],
'operational_impact': ['Disruption of Operations',
'Resource Strain',
'Investigation Overhead'],
'systems_affected': ['Oracle E-Business Suite Applications']},
'initial_access_broker': {'entry_point': 'Oracle E-Business Suite Zero-Day '
'Vulnerability',
'high_value_targets': ['Business Systems Data',
'Commercial Contact Details'],
'reconnaissance_period': 'Up to 3 months (July 10, '
'2025 – October 4, 2025)'},
'investigation_status': 'Ongoing (Cooperating with Law Enforcement)',
'lessons_learned': ['Dependencies on large, interconnected business systems '
'introduce significant risk when vulnerabilities are '
'exploited.',
'Third-party compromises divert resources from protecting '
'core business functions.',
'Least-privilege access, continuous monitoring, and '
'strong privileged access controls are critical to '
'mitigating ripple effects from supply-chain attacks.',
'Timely patching of zero-day vulnerabilities is '
'essential, especially when public PoCs are available.'],
'motivation': ['Financial Gain', 'Data Exfiltration', 'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Patch management overhaul '
'for critical third-party '
'systems.',
'Enhanced monitoring for '
'supply-chain '
'vulnerabilities.',
'Review of privileged '
'access controls and '
'least-privilege '
'enforcement.'],
'root_causes': ['Exploitation of unpatched '
'zero-day vulnerability in Oracle '
'E-Business Suite (CVE-2025-61882, '
'CVE-2025-61884).',
'Delayed patching despite '
'availability of public PoC '
'exploits.',
'Interconnected system '
'dependencies amplifying attack '
'surface.']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'Cl0p'},
'recommendations': ['Install the October 2023 Critical Patch Update for '
'Oracle E-Business Suite.',
'Deploy the October 4, 2025 Security Alert patches for '
'CVE-2025-61882.',
'Apply the October 12, 2025 patches for CVE-2025-61884.',
'Confirm deployment of the July 2025 Critical Patch '
'Update to address related vulnerabilities.',
'Enforce least-privilege access and privileged access '
'controls.',
'Monitor for unusual behavior in interconnected systems.',
'Assess third-party risk exposure in supply-chain '
'dependencies.'],
'references': [{'source': 'Reuters'},
{'source': 'Keeper Security (Shane Barney, CISO)'},
{'source': 'Qualys Threat Research Unit (Mayuresh Dani, '
'Security Research Manager)'},
{'source': 'Google Threat Intelligence'}],
'response': {'communication_strategy': ['Public Statement via Reuters'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Investigation',
'Cooperation with Law Enforcement']},
'threat_actor': 'Cl0p Ransomware Group',
'title': 'Cyberattack on Envoy Air via Oracle E-Business Suite Vulnerability',
'type': ['Cyberattack', 'Ransomware', 'Data Breach'],
'vulnerability_exploited': ['CVE-2025-61882',
'CVE-2025-61884',
'Oracle E-Business Suite Zero-Day '
'(Unauthenticated, Low Complexity)']}