Ransomware cyber

Envoy Air

Sep 1, 2025 3 min read
Envoy Air

Texas-based regional airline Envoy Air, a subsidiary of American Airlines, confirmed a breach on October 17, 2025, stemming from a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), exploited by the CL0P ransomware group (TA505/FIN11). The attack was part of a coordinated extortion campaign targeting global companies via a high-volume email phishing scheme launched in late September 2025. While Envoy Air stated that no sensitive customer data or flight operations were affected, the breach compromised limited business information and commercial contact details.The vulnerability allowed attackers to gain unauthorized remote access without credentials, and Oracle released an emergency patch on October 4, 2025, after nearly three months of active exploitation. CL0P had already listed American Airlines (Envoy Air’s parent company) on their dark web leak site on October 16, 2025, claiming significant data theft. Experts warned of a ripple effect across organizations using Oracle EBS, emphasizing urgent patching to mitigate the threat.

Source: https://hackread.com/envoy-air-american-airlines-oracle-ebs-0-day-breach-cl0p/

TPRM report: https://www.rankiteo.com/company/envoyair

"id": "env5932059102125",
"linkid": "envoyair",
"type": "Ransomware",
"date": "9/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'customers_affected': 'none',
                        'industry': 'aviation',
                        'location': 'Texas, USA',
                        'name': 'Envoy Air',
                        'type': 'regional airline'},
                       {'industry': 'aviation',
                        'location': 'Texas, USA',
                        'name': 'American Airlines',
                        'type': 'major airline (parent company of Envoy Air)'},
                       {'industry': 'higher education',
                        'location': 'Massachusetts, USA',
                        'name': 'Harvard University',
                        'type': 'educational institution'}],
 'attack_vector': ['phishing (high-volume email campaign)',
                   'exploitation of zero-day vulnerability (CVE-2025-61882) in '
                   'Oracle E-Business Suite'],
 'customer_advisories': ['Public statement confirming no sensitive customer '
                         'data or operational impact.'],
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': 'none',
                 'sensitivity_of_data': 'low (no sensitive customer or '
                                        'operational data)',
                 'type_of_data_compromised': ['business information',
                                              'commercial contact details']},
 'date_detected': '2025-09-29',
 'date_publicly_disclosed': '2025-10-17',
 'description': 'Texas-based regional airline Envoy Air, operating under '
                'American Airlines, confirmed a breach on October 17, 2025, as '
                'part of a coordinated extortion campaign by the CL0P '
                'ransomware group. The attack exploited a zero-day '
                'vulnerability (CVE-2025-61882) in Oracle E-Business Suite '
                '(EBS), allowing unauthorized system control. While no '
                'sensitive customer data or flight operations were impacted, '
                'limited business and commercial contact details were '
                'compromised. The campaign, active since at least September '
                '2025, also targeted Harvard University and American Airlines '
                "(Envoy Air's parent company). Oracle released an emergency "
                'patch on October 4, 2025, but the flaw had been exploited for '
                'nearly three months prior.',
 'impact': {'brand_reputation_impact': 'potential reputational risk due to '
                                       'association with CL0P and parent '
                                       'company (American Airlines) listing on '
                                       'dark web',
            'data_compromised': ['limited business information',
                                 'commercial contact details'],
            'identity_theft_risk': 'none (no sensitive customer data affected)',
            'operational_impact': 'none (no impact on flight or airport '
                                  'operations)',
            'payment_information_risk': 'none',
            'systems_affected': ['Oracle E-Business Suite (EBS)']},
 'initial_access_broker': {'data_sold_on_dark_web': ['American Airlines data '
                                                     "listed on CL0P's dark "
                                                     'web leak site '
                                                     '(2025-10-16)'],
                           'entry_point': ['phishing emails targeting '
                                           'executives (starting ~2025-09-29)',
                                           'exploitation of CVE-2025-61882 in '
                                           'Oracle EBS'],
                           'high_value_targets': ['Oracle EBS environments',
                                                  'executive contact details'],
                           'reconnaissance_period': 'likely conducted prior to '
                                                    'September 2025 (exploit '
                                                    'active for ~3 months '
                                                    'before patch)'},
 'investigation_status': 'ongoing (as of 2025-10-17)',
 'lessons_learned': 'Exploitation of vulnerabilities in widely used enterprise '
                    'software (e.g., Oracle EBS) can create ripple effects '
                    'across multiple organizations. Containment is as critical '
                    'as prevention in mitigating such large-scale campaigns.',
 'motivation': ['financial extortion', 'data theft for leverage'],
 'post_incident_analysis': {'corrective_actions': ['Application of Oracle EBS '
                                                   'emergency patch.',
                                                   'Review of email security '
                                                   'controls to prevent '
                                                   'phishing.',
                                                   'Enhanced monitoring for '
                                                   'anomalous activity in '
                                                   'Oracle EBS environments.'],
                            'root_causes': ['Exploitation of unpatched '
                                            'zero-day vulnerability '
                                            '(CVE-2025-61882) in Oracle EBS.',
                                            'Delayed patching (vulnerability '
                                            'exploited for ~3 months before '
                                            'emergency patch).',
                                            'Successful phishing campaign '
                                            'targeting executives.']},
 'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'CL0P'},
 'recommendations': ['Urgent installation of Oracle EBS security updates, '
                     'including the emergency patch for CVE-2025-61882.',
                     'Enhanced monitoring for signs of exploitation in Oracle '
                     'EBS environments.',
                     'Proactive threat intelligence sharing to identify '
                     'targeted extortion campaigns early.',
                     'Segmentation of critical systems to limit lateral '
                     'movement in case of breach.'],
 'references': [{'date_accessed': '2025-10-03', 'source': 'Hackread.com'},
                {'date_accessed': '2025-10-16', 'source': 'X.com (@H4ckmanac)'},
                {'source': 'Shane Barney, Chief Information Security Officer '
                           'at Keeper Security'}],
 'response': {'communication_strategy': ['public disclosure on 2025-10-17',
                                         'assurance of no impact on operations '
                                         'or customer data'],
              'containment_measures': ['investigation to confirm scope of '
                                       'breach',
                                       'assessment of compromised data'],
              'incident_response_plan_activated': True,
              'remediation_measures': ['application of Oracle emergency patch '
                                       '(released 2025-10-04)'],
              'third_party_assistance': ['Mandiant (Google Cloud)',
                                         'Google Threat Intelligence Group '
                                         '(GTIG)']},
 'threat_actor': ['CL0P (aka TA505/FIN11)'],
 'title': 'Envoy Air Ransomware Attack via Oracle E-Business Suite Zero-Day '
          'Vulnerability (CVE-2025-61882)',
 'type': ['ransomware', 'data breach', 'zero-day exploit'],
 'vulnerability_exploited': 'CVE-2025-61882 (critical zero-day in Oracle '
                            'E-Business Suite allowing remote system control '
                            'without authentication)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.