Envoy Air Data Breach via Oracle E-Business Suite Zero-Day Exploitation
Envoy Air, a major regional airline operating under American Airlines, experienced a significant data breach in October 2025 following a sophisticated ransomware attack. The breach was traced to the exploitation of a zero-day vulnerability, CVE-2025-61882, in Oracle’s E-Business Suite (EBS), which allowed unauthenticated remote code execution on unpatched systems. The Clop ransomware group, known for targeting large organizations, weaponized this vulnerability as part of a broader campaign affecting multiple industries worldwide. The attack campaign began in August 2025 and escalated through September, prompting Oracle to issue an emergency patch in early October. Envoy Air’s investigation revealed that approximately 26GB of internal business documents and commercial contacts were exfiltrated and later published on Clop’s leak site. However, the airline confirmed that no sensitive customer personally identifiable information (PII), loyalty program data, or flight operations systems were compromised. The breach was contained to non-operational, non-customer-facing IT assets, as corroborated by independent monitors and incident response teams. The incident highlighted the systemic risk posed by widespread adoption of enterprise resource planning (ERP) platforms like Oracle EBS, as other victims included higher education institutions and multinational corporations. Oracle’s October 2025 Critical Patch Update addressed 170 unique CVEs across 29 product families, with 20 patches specifically for Oracle EBS, including fixes for vulnerabilities that could be exploited remotely without authentication. The update included critical patches for multiple Oracle products, reflecting the urgency and severity of the vulnerabilities exploited in the campaign. Envoy Air worked closely with cybersecurity experts and law enforcement to contain the breach and implement remediation measures. The incident underscored the importance of timely patch management and the risks associated with unpatched enterprise software. The Clop group’s use of a zero-day exploit demonstrated the evolving tactics of ransomware operators targeting high-value enterprise systems. The breach also prompted industry-wide reviews of Oracle EBS deployments and accelerated the adoption of security best practices. Oracle’s rapid response and emergency patch release were crucial in mitigating further exploitation. The event serves as a cautionary tale for organizations relying on complex ERP platforms, emphasizing the need for proactive vulnerability management. The breach’s limited impact on customer-facing systems was attributed to effective network segmentation and incident response protocols. The campaign’s global reach highlighted the interconnected nature of modern enterprise IT environments and the potential for cascading risks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Envoy Air data breach is publicly reported
A data breach affecting Envoy Air was publicly reported in the referenced coverage. No additional incident details or earlier milestones are provided in the available content.
Oracle releases October 2025 Critical Patch Update for 170 CVEs
Oracle issued its October 2025 Critical Patch Update addressing 170 vulnerabilities across its products. This patch release is the key disclosed event referenced in the source material.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mass Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
A significant cybersecurity incident has emerged involving the mass exploitation of a previously unknown zero-day vulnerability in Oracle E-Business Suite (EBS). CrowdStrike has identified an active campaign in which threat actors are leveraging this zero-day, now tracked as CVE-2025-61882, to compromise organizations using Oracle EBS. The attackers have targeted a range of organizations, including major enterprises and at least one prominent airline, Envoy Air, which suffered a breach as part of this wave of extortion attempts. The exploitation campaign has raised concerns due to the critical nature of Oracle EBS in managing sensitive business operations, including financials, supply chain, and human resources. Security researchers have highlighted that the attackers are using sophisticated techniques to gain initial access and then move laterally within affected networks. The campaign has prompted urgent advisories from security vendors and researchers, urging organizations to apply patches and review their Oracle EBS deployments for signs of compromise. The incident has also drawn attention to the broader risks posed by supply chain and third-party software vulnerabilities, as attackers increasingly target widely used enterprise platforms. In addition to direct exploitation, there are indications that the attackers may be using stolen credentials and exploiting weak configurations to escalate privileges. The breach at Envoy Air underscores the real-world impact of the campaign, with potential exposure of sensitive data and operational disruption. Security experts have warned that the campaign may not be limited to a single threat actor, as multiple groups could be leveraging the same vulnerability for different objectives, including extortion and data theft. The incident has also reignited debate over the speed and transparency of vulnerability disclosure and patching processes for critical enterprise software. Organizations are being advised to monitor for indicators of compromise, enhance logging and detection around Oracle EBS systems, and coordinate with vendors for timely updates. The campaign is ongoing, and further victims may emerge as investigations continue. This event highlights the persistent threat posed by zero-day vulnerabilities in widely deployed business applications and the need for robust patch management and incident response capabilities.
Mar 21, 2026
Critical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
Mar 21, 2026