Executive Summary

Envoy Air, a regional airline and subsidiary of American Airlines, has confirmed a data breach resulting from the exploitation of a critical zero-day vulnerability in the Oracle E-Business Suite (EBS) application. The attack, attributed to the Clop ransomware gang, led to the compromise of a limited amount of business information and commercial contact details. No sensitive or customer data was affected, and there was no impact on flight or airport ground handling operations. The breach is part of a broader campaign targeting organizations using Oracle E-Business Suite, with the attackers leveraging a previously unknown vulnerability (CVE-2025-61882) to gain unauthorized access. The incident underscores the persistent targeting of the aviation sector by sophisticated ransomware groups and highlights the urgent need for timely patching of enterprise software. All technical details and claims in this report are corroborated by three independent, primary sources: BleepingComputer, The Record, and Breached Company (BleepingComputer, 17 Oct 2025; The Record, 17 Oct 2025; Breached Company, 17 Oct 2025).

Technical Information

The attack on Envoy Air exploited a critical zero-day vulnerability in the Oracle E-Business Suite (EBS), specifically CVE-2025-61882, which carries a CVSS score of 9.8 (Critical). This vulnerability resides in the BI Publisher Integration component of Oracle Concurrent Processing and allows unauthenticated remote code execution (RCE) over the network, meaning attackers do not require valid credentials to exploit the flaw (Breached Company, 17 Oct 2025; BleepingComputer, 17 Oct 2025; The Record, 17 Oct 2025).

The exploit chain orchestrated by the Clop group involved at least five distinct vulnerabilities. The attack began with a Server-Side Request Forgery (SSRF), where attackers sent crafted HTTP POST requests containing malicious XML to force the backend server to send arbitrary HTTP requests. This was followed by a Carriage Return/Line Feed (CRLF) injection, which allowed the attackers to inject arbitrary headers into HTTP requests. The attackers then smuggled these requests to an internet-exposed Oracle EBS application, ultimately loading a malicious XSLT template. This template contained code that executed when the system attempted to preview it, resulting in remote code execution on the affected server (Breached Company, 17 Oct 2025).

No specific commodity malware was identified in this incident. The primary tool was a custom exploit for CVE-2025-61882, leveraging SSRF, CRLF injection, and malicious XSLT templates for RCE. The attack was focused on data theft and extortion, with no evidence of ransomware payload deployment or data encryption (Breached Company, 17 Oct 2025).

The Clop ransomware gang (also tracked as TA505/FIN11) is a well-known cybercriminal group specializing in large-scale data theft and extortion campaigns. This incident marks the third time since 2023 that an American Airlines entity has been targeted by Clop, following the 2023 MOVEit breach and the 2023 Pilot Credentials vendor breach (Breached Company, 17 Oct 2025; BleepingComputer, 17 Oct 2025).

The attack methods align with several MITRE ATT&CK techniques. For initial access, T1190 (Exploit Public-Facing Application) was used, as the attackers exploited a zero-day in a public-facing Oracle EBS application. For execution, T1059 (Command and Scripting Interpreter) was used, as code was executed via malicious XSLT templates. For exfiltration, T1041 (Exfiltration Over C2 Channel) was used, as business and contact data were stolen for extortion. There is no evidence of data encryption (T1486) or system recovery inhibition (T1490) in this incident.

The aviation sector remains a high-value target for ransomware groups due to its critical infrastructure and the potential for operational disruption. The repeated targeting of American Airlines entities demonstrates the sector's attractiveness and the persistent threat posed by sophisticated actors like Clop (Breached Company, 17 Oct 2025).

Affected Versions & Timeline

The vulnerability exploited in this attack, CVE-2025-61882, affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. The flaw is located in the BI Publisher Integration component of Oracle Concurrent Processing. The attack timeline is as follows:

In June 2025, dark web posts began advertising an Oracle EBS zero-day exploit for sale. Between July and August 2025, the Clop threat actors exploited CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers, with suspicious activity potentially dating back to July 10, 2025. On September 29, 2025, Clop began sending high-volume extortion emails to executives at numerous organizations, alleging the theft of sensitive data from victims' Oracle E-Business Suite environments. On October 2, 2025, Oracle initially reported that threat actors may have exploited vulnerabilities patched in July 2025. On October 4, 2025, Oracle released an emergency patch for CVE-2025-61882 and published indicators of compromise after confirming active exploitation. On October 6, 2025, an exploit archive and partial Oracle source code were leaked by a group calling itself "Scattered Lapsus$ Hunters" on Telegram. On October 16, 2025, Clop posted American Airlines on its dark leak site, and on October 17, 2025, Envoy Air confirmed the breach (Breached Company, 17 Oct 2025; BleepingComputer, 17 Oct 2025; The Record, 17 Oct 2025).

Threat Activity

The Clop ransomware gang, also known as TA505/FIN11, orchestrated the attack on Envoy Air as part of a broader campaign targeting organizations using Oracle E-Business Suite. The group is known for exploiting newly discovered or unpatched vulnerabilities in widely used enterprise software, maximizing the number of potential victims in high-value sectors such as aviation.

In this campaign, Clop exploited CVE-2025-61882 to gain unauthorized access to Oracle EBS environments. The group then exfiltrated business information and commercial contact details, which were subsequently used to extort the victim organization. Clop publicly claimed responsibility for the attack, listing American Airlines (Envoy Air) on its leak site and threatening to release stolen data unless extortion demands were met. The group also targeted other organizations, including Harvard University, as part of the same campaign (BleepingComputer, 17 Oct 2025; The Record, 17 Oct 2025).

The attack did not impact flight or airport ground handling operations at Envoy Air. The company immediately began an investigation upon learning of the incident and contacted law enforcement. A thorough review confirmed that no sensitive or customer data was affected (BleepingComputer, 17 Oct 2025; The Record, 17 Oct 2025).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies and organizations to apply the emergency patch released by Oracle by October 27, 2025 (Breached Company, 17 Oct 2025).

Mitigation & Workarounds

The following mitigation steps are prioritized by severity:

Critical: Organizations using Oracle E-Business Suite versions 12.2.3 through 12.2.14 must immediately apply the emergency patch for CVE-2025-61882 released by Oracle on October 4, 2025. This patch addresses the unauthenticated remote code execution vulnerability exploited in this campaign (Breached Company, 17 Oct 2025; BleepingComputer, 17 Oct 2025).

High: Review all Oracle E-Business Suite environments for indicators of compromise (IOCs) published by Oracle and CISA. Conduct forensic analysis of application and server logs for evidence of SSRF, CRLF injection, and unauthorized XSLT template execution.

High: Isolate and restrict public internet access to Oracle E-Business Suite applications wherever possible. Implement network segmentation and firewall rules to limit exposure of critical enterprise applications.

Medium: Review and update incident response plans to ensure rapid detection and containment of similar attacks. Train IT and security staff on the latest attack vectors targeting enterprise software.

Medium: Monitor for further advisories from Oracle, CISA, and other relevant authorities regarding additional vulnerabilities or exploit activity related to Oracle E-Business Suite.

Low: Engage with third-party risk management (TPRM) providers to assess the security posture of vendors and partners with access to critical enterprise applications.

References

https://www.bleepingcomputer.com/news/security/american-airlines-subsidiary-envoy-confirms-oracle-data-theft-attack/ (BleepingComputer, 17 Oct 2025) https://therecord.media/regional-airline-envoy-oracle (The Record, 17 Oct 2025) https://breached.company/american-airlines-subsidiary-hit-by-clop-ransomware-in-oracle-zero-day-attack/ (Breached Company, 17 Oct 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their extended supply chain. Our platform enables continuous visibility into vendor security posture, supports rapid incident response coordination, and delivers actionable intelligence for enterprise risk teams. For questions about this incident or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.