416/68 Tuesday, October 21, 2025
Envoy Air, a regional airline under American Airlines, has confirmed that it was affected by a cyberattack targeting Oracle E-Business Suite (EBS) systems, carried out by the Cl0p ransomware group, which is linked to the FIN11 cybercrime syndicate. The attackers added American Airlines to their leak site on the dark web (Tor) and published files allegedly stolen, totaling over 26 gigabytes. Investigations revealed that the attack specifically targeted Envoy Air’s Oracle EBS system rather than American Airlines’ core systems.
Headquartered in Texas, Envoy Air operates more than 800 daily flights to 160 destinations under the American Eagle brand. The airline stated that the incident did not compromise customer data or other critical information, and only some business-related data and commercial contact details may have been impacted. This attack is part of the broader Oracle EBS campaign, which has also affected Harvard University and the University of the Witwatersrand in South Africa, both of which are still assessing the extent of the damage.
Oracle has released patches addressing multiple vulnerabilities, including the Zero-Day CVE-2025-61882, which was exploited in these attacks, and CVE-2025-61884, which could lead to data leaks. It remains unclear which vulnerability Cl0p leveraged in this case. The incident underscores the risks of relying on ERP systems and third-party data management. Security experts recommend that organizations using Oracle EBS urgently apply patches, review system access, and strengthen security measures to prevent future breaches.
Source https://www.securityweek.com/american-airlines-subsidiary-envoy-air-hit-by-oracle-hack/
