Ransomware, Vulnerability Management, Breach, Patch/Configuration Management, Exposure management

Envoy Air confirms breach tied to Oracle EBS zero-day vulnerability

Oracle official cloud technology website homepage displayed on computer monitor with logo and dark interface.

(Adobe Stock)

Texas-based regional airline carrier Envoy Air confirmed Oct. 17 it was compromised in the recent series of zero-day attacks on the Oracle E-Business Suite (EBS) that researchers have tied to the Clop ransomware gang.

The admission by the American Airlines subsidiary was the second public disclosure in the EBS case, following the Oct. 13 admission by Harvard University that it was the first such case.

SC Media first reported news of the cyberattacks on Oracle EBS on Oct. 3  when Oracle confirmed that some of its EBS customers received extortion emails.

MacKenzie Brown, vice president of the Adversary Pursuit Group at Blackpoint Cyber, said the industry is most certainly seeing a chain reaction, as the expanding victim scope confirms this systemic attack continues to highlight what we will face in the year ahead: supply chain targeting of shared enterprise platforms.

“A CISO’s primary concern is not the breach itself, but the scalable nature of the attacks used by groups like Clop/FIN11 as their playbook is evolving and exploiting the single point of failure for an enterprise: third-party risk,” said Brown.

Mayuresh Dani, security research manager at the Qualys Threat Research Unit, added that Oracle EBS runs critical operations for thousands of global enterprises across financial services, healthcare, education, manufacturing, and government. Dani said with this low complexity, unauthenticated vulnerability, threat actors had nearly three months to exploit the zero-day before a patch was released.

“To add fuel to the fire, public proof-of-concept exploits were available at least a day before Oracle's emergency patch,” said Dani. “Many organizations may not yet know they were compromised during the zero-day period, as threat intelligence suggests large volumes of customer data were successfully exfiltrated. When all the pieces of the recent Oracle EBS vulnerability are put together, we will know that more of the story is yet to unfold.”

Dani said security teams should take the following actions:

  • Ensure the October 2023 Critical Patch Update is installed.
  • Deploy Oct. 4, 2025 Security Alert patches for 9.8 CVE-2025-61882.
  • Apply Oct. 12, 2025 patches for 7.5 CVE-2025-61884 to provide comprehensive coverage.
  • Confirm that the July 2025 Critical Patch Update is deployed to address related vulnerabilities exploited in this Clop campaign.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BackdoorBrute ForceDNS SpoofingDarknetData MiningDefacementDisruptionDomain HijackingDrive-by DownloadDumpster Diving

You can skip this ad in 5 seconds