Envoy Air Confirms Involvement in Oracle E-Business Suite Cyberattack

Envoy Air, a regional carrier owned by American Airlines, has confirmed that it was affected by the recent Oracle E-Business Suite (EBS) exploitation campaign, a large-scale cybercrime operation linked to the Cl0p ransomware group and FIN11 threat actors.

The campaign has already impacted multiple high-profile organizations worldwide, including Harvard University and the University of the Witwatersrand in South Africa. Attackers are believed to have exploited vulnerabilities in Oracle’s EBS platform to steal sensitive business data and extort affected companies.

The Attack and Data Exposure

The Cl0p ransomware group listed American Airlines as a victim on its Tor-based leak site late last week, claiming to have exfiltrated 26 GB of internal data. However, it appears that the actual target was Envoy Air’s Oracle EBS instance, not American Airlines directly.

In a public statement, Envoy Air confirmed that it had been impacted by the campaign but stated that its investigation found no evidence of customer or sensitive data compromise.

The company also emphasized that operations were not disrupted and that customer-facing systems remain secure.

Connection to the Cl0p and FIN11 Campaign

The ongoing campaign is part of a broader extortion effort attributed to the Cl0p group and associated FIN11 clusters, both known for exploiting enterprise software platforms in large-scale ransomware and data theft operations.

The Oracle EBS exploitation campaign has impacted dozens of organizations, many of which have received extortion emails demanding payment to prevent the release of stolen data. Victims who refused to pay appear on the group’s leak website.

Cybersecurity researchers from Google’s Threat Intelligence Group (GTIG) and Mandiant have observed overlaps between this campaign and previous attacks targeting MOVEit, Fortra GoAnywhere, and Accellion file transfer systems—all previously exploited by Cl0p.

Other Confirmed Victims

The University of the Witwatersrand confirmed that it, too, was targeted and is currently analyzing the scope of its data exposure. Harvard University was the first confirmed victim, with attackers leaking over 1.3 TB of archived data. Industrial manufacturer Emerson has also been named, though no data from that breach has yet been released.

Technical Analysis and Vulnerabilities

While the exact vulnerabilities exploited remain under investigation, Oracle has acknowledged that both known and zero-day flaws were used in the attacks.

• CVE-2025-61882, a critical remote code execution vulnerability, was confirmed as a zero-day exploited in the wild.

• Another issue, CVE-2025-61884, exposed sensitive data within Oracle EBS, though Oracle has not confirmed whether it was also abused.

These findings underscore the importance of rapid patch management and vulnerability monitoring for enterprise software platforms that store financial, HR, and customer data.

Conclusion

The Envoy Air disclosure adds to a growing list of victims in the Oracle EBS exploitation campaign, revealing how supply-chain vulnerabilities in enterprise software can cascade across global industries. As threat actors refine their extortion tactics, organizations are reminded that proactive patching, credential hygiene, and zero-trust network segmentation remain essential defenses against evolving ransomware operations.