Envoy Air, a regional carrier owned by American Airlines, has confirmed it was the target of a sophisticated ransomware attack attributed to the Clop cybercrime group. The breach, which happened in August 2025, exploited a zero-day vulnerability in Oracle’s E-Business Suite, one of the most severe flaws to hit enterprise software this year.
Clop, which first listed “American Airlines” on its dark web leak site on October 16, misidentified the victim. Envoy operates under the American Eagle brand, serving as a regional arm of the airline giant. The distinction matters little to attackers, but it underscores a pattern that’s becoming clear: Clop is not just opportunistic, it’s persistent. This marks the third time in two years that American Airlines entities have found themselves in the group’s crosshairs.
A High-Stakes Exploit
The attack centered on CVE-2025-61882, a critical vulnerability in Oracle’s E-Business Suite with a severity rating of 9.8 out of 10. The flaw, found in the BI Publisher Integration component, allowed malefactors to execute code remotely without authentication, no credentials needed.
Security researchers describe the exploit chain as unusually sophisticated. It began with a Server-Side Request Forgery (SSRF) attack, followed by a Carriage Return/Line Feed (CRLF) injection, allowing Clop to smuggle malicious requests through trusted processes. Oracle later confirmed that the campaign involved multiple chained vulnerabilities working in concert.
Dark web chatter first surfaced in June 2025, advertising an Oracle EBS exploit for around $70,000. By early August, Clop was actively using it in attacks against Oracle customers, weeks before a patch became available. Oracle issued an emergency fix on October 4 after confirming active exploitation and published indicators of compromise to help organizations detect intrusions.
A Campaign Measured in Weeks, With Dozens of Victims
Envoy’s breach is part of a wider offensive. Google’s threat intelligence unit, Mandiant, believes dozens of organizations were hit during the same period, with evidence of Clop activity stretching back to July. Harvard University has also confirmed involvement, saying a “limited number of parties” connected to one administrative unit were affected.
The scope of the campaign remains uncertain. Clop has not disclosed how many victims paid ransoms or how much data was stolen. However, researchers say the group has shown a growing interest in targeting enterprise resource systems, the digital nervous systems of major companies.
Envoy’s Response
Envoy Air said it acted quickly once the intrusion was detected. “Upon learning of the incident, we immediately began an investigation and contacted law enforcement,” the airline said in a statement. The company added that a review found no customer data was affected, only a limited amount of internal business information and commercial contact details.
Despite those assurances, Clop has begun leaking what it claims to be stolen Envoy data on its dark web site, accompanied by a taunting message: “The company doesn’t care about its customers, it ignored their security!!!”
A Familiar Target
The aviation sector has become a recurring target for ransomware actors, drawn by its reliance on complex, interconnected systems and high-value data. For Clop, American Airlines represents unfinished business. The group was behind the 2023 MOVEit Transfer campaign that compromised data belonging to the airline itself.
While this latest breach hit a smaller regional affiliate, the optics are the same: a critical service provider, exposed through a vendor’s software flaw. It’s a reminder that in modern supply chains, a vulnerability in one corner can ripple across the entire ecosystem.
And for airlines whose names appear on leak sites, even by mistake, that damage can linger long after the systems are patched and the ransom notes deleted.
A Reminder of Supply Chain Dependencies
Shane Barney, Chief Information Security Officer at Keeper Security, called the Envoy Air incident “a reminder of the dependencies organizations have on large, interconnected business systems, and how much risk they entail. When attackers exploit a vulnerability in a widely used platform, like the Oracle system involved here, they’re not just breaching one company; they’re creating a ripple effect across every organization that relies on the same technology.”
He said the danger goes well beyond stolen data. “These attacks disrupt operations, strain internal resources and erode public trust – consequences that linger long after the initial breach. Every hour spent untangling a third-party compromise is time pulled away from protecting the rest of the business.
“Organizations need to understand where their critical systems connect, who has access to them and how that access is managed. Enforcing least-privilege access, continuously monitoring for unusual behavior and implementing strong privileged access controls can stop a single vulnerability from becoming a company-wide crisis. In today’s threat landscape, containment is just as important as prevention.”
Organizations Might Not Yet Know They Were Compromised
Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit added that Oracle E-Business Suite is installed in critical operations for thousands of global enterprises across financial services, healthcare, education, manufacturing, and government sectors.
“With this low complexity, unauthenticated vulnerability, threat actors had nearly three months to exploit the zero-day before a patch was released. To add fuel to the fire, public proof-of-concept (PoC) exploits were available at least a day before Oracle’s emergency patch. Many organizations may not yet know they were compromised during the zero-day period, as threat intelligence suggests large volumes of customer data were successfully exfiltrated. When all the pieces of the recent Oracle EBS vulnerability are put together, we will know that more of the story is yet to unfold.”
Dani advises organizations to:
- Ensure that the October 2023 Critical Patch Update is installed.
- Deploy October 4, 2025 Security Alert patches for CVE-2025-61882.
- Apply October 12, 2025 patches for CVE-2025-61884 to provide comprehensive coverage.
- Confirm that the July 2025 Critical Patch Update is deployed to address related vulnerabilities exploited in this Cl0p campaign.
The Urgent Threat of Unpatched Software
Damon Small, Board of Directors, at Xcape Inc, commented: “The recent cyberattack on Envoy Air, a subsidiary of American Airlines, highlights the urgent threat of unpatched enterprise software, specifically the Oracle E-Business Suite (EBS) vulnerability currently being exploited.”
Small said: “Although Envoy Air reports that no sensitive customer data was accessed, the theft of “limited business information and commercial contact details” is still alarming and emphasizes the importance of continuous security patching. The fact that the exploited bug was recently flagged on a federal watchlist and the FBI issued a “patch immediately” warning underscores the severity of the risk.”
He said this incident, that follows a similar attack on Harvard University, proves that cybercriminals are actively and successfully exploiting this vulnerability. “Mandiant’s prediction of “many more” victims should serve as a critical alert for any organization – regardless of size or industry – that uses the Oracle EBS platform. These organizations need to immediately audit their systems, ensure all critical patches are installed, and review logs for any signs of compromise. The window of opportunity between a vulnerability becoming public knowledge and its exploitation is shrinking, making prompt patch management essential.
Relying on “no sensitive data was compromised” is a post-mortem defense in the era of clever zero-day campaigns; every unpatched vulnerability should be treated like a ticking time bomb, Small concluded. “This is underscored by the fact that this exploit has been well-known for several months and has patches available.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.