On October 17, 2025, Envoy Air, a Texas-based regional airline and the largest carrier under American Airlines, confirmed that it was recently compromised due to a series of cyberattacks exploiting a zero-day vulnerability in a major corporate software application. The hacks were executed by CL0P, a notorious ransomware group known by multiple aliases, including TA505 and FIN11. The primary target was the Oracle E-Business Suite (EBS), a widely used software platform critical for business operations, encompassing finance, manufacturing, and more.
This breach is part of a larger, coordinated extortion campaign that emerged in early October 2025. The campaign initially sparked concern around September 29, when a significant email phishing operation began targeting senior company executives. Investigations revealed that the perpetrators, claiming affiliation with CL0P, threatened to release data purportedly stolen from Oracle EBS environments.
As reported by Hackread.com on October 3, 2025, cybersecurity firms Mandiant and the Google Threat Intelligence Group swiftly began scrutinizing these threats. They identified that the email addresses employed in the extortion communications were consistent with those listed on CL0P’s data leak site, indicating a strong linkage to the group.
The exploited zero-day vulnerability, designated CVE-2025-61882, represented a severe security risk, allowing the attackers to seize control of the system remotely without needing valid login credentials. This critical flaw was actively exploited for nearly three months prior to Oracle’s release of an emergency patch on October 4, 2025.
In its disclosures, Envoy Air emphasized that its investigation revealed no compromise of sensitive customer data and confirmed that its flight and airport operations remained unaffected. The breach reportedly only involved a limited amount of business-related information and commercial contact details. Envoy Air is notably the second significant entity to acknowledge a breach from this ongoing campaign, following an admission by Harvard University on October 13.
The implications of this incident are alarming. Not only does it illustrate the vulnerabilities within widely used software like Oracle EBS, but it also highlights the prolonged exposure before a security patch was made available. Moreover, the CL0P group listed American Airlines on their dark web leak site on October 16, 2025, firmly establishing its claims of having breached the airline through the exploited zero-day vulnerability.
Experts recommend that all organizations utilizing Oracle EBS urgently apply the necessary security updates, including the recent emergency patch, to mitigate the potential risks presented by this widespread threat. The looming presence of the CL0P group underscores the urgency in addressing cybersecurity vulnerabilities across the sector.
Shane Barney, Chief Information Security Officer at Keeper Security, provided insight regarding the broader context of this campaign. He pointed out that the exploitation of vulnerabilities in a ubiquitous platform like Oracle’s EBS can create a cascading effect impacting numerous organizations reliant on similar systems. In today’s evolving cyber landscape, he emphasized the need for both containment and prevention strategies to effectively defend against such attacks.
