Article illustration 1

Envoy Air, a key American Airlines subsidiary operating under the American Eagle brand, has confirmed a data breach stemming from the compromise of its Oracle E-Business Suite (EBS) application. The incident is directly linked to the Clop ransomware gang (also tracked as TA505, FIN11), which exploited a previously unknown zero-day vulnerability (CVE-2025-61882) in August 2025. While Envoy states "no sensitive or customer data was affected," it acknowledges that "a limited amount of business information and commercial contact details may have been compromised."

Clop has since listed American Airlines on its data leak site, leaking samples of the stolen Envoy data alongside accusations that the company ignored security. This attack is part of a widespread campaign targeting Oracle EBS systems globally. Security firms CrowdStrike and Mandiant confirmed Clop exploited the flaw in early August to breach systems and deploy malware, with Google's John Hultquist estimating "dozens of organizations" were impacted. Harvard University separately confirmed it's also negotiating with Clop over data stolen in the same campaign.

The Oracle Zero-Day Timeline & Clop's Evolving Tactics

  • July 2025: Oracle releases patches for known EBS vulnerabilities, initially unaware of the active zero-day (CVE-2025-61882).
  • Early August: Clop exploits CVE-2025-61882 to breach Envoy, Harvard, and other targets.
  • September: Clop begins sending extortion emails to victims.
  • October: Breaches become public as Clop leaks data; Oracle confirms the zero-day exploitation.
  • Simultaneously: Oracle silently patches another actively exploited EBS zero-day (CVE-2025-61884), linked to an exploit leaked by the ShinyHunters group.

This incident highlights Clop's strategic pivot away from traditional ransomware deployment towards exploiting zero-day flaws in critical enterprise software for pure data theft and extortion. Their track record is alarming:

  • 2020: Accellion FTA Zero-Day (~100 orgs)
  • 2021: SolarWinds Serv-U FTP Zero-Day
  • 2023: GoAnywhere MFT Zero-Day (100+ orgs)
  • 2023: MOVEit Transfer Zero-Day (2,773+ orgs)
  • 2024: Cleo File Transfer Zero-Days (CVE-2024-50623, CVE-2024-55956)
  • 2025: Oracle E-Business Suite Zero-Days (CVE-2025-61882, CVE-2025-61884)

"The company doesn't care about its customers, it ignored their security!!!" - Clop ransomware gang on its leak site regarding American Airlines/Envoy.

Implications for Enterprise Security Teams

This breach underscores several critical challenges:

  1. Supply Chain Risk: Attacks on widely used enterprise platforms like Oracle EBS create cascading breaches across multiple industries.
  2. Patching Velocity & Visibility: Oracle's initial July patches didn't cover the zero-day Clop used. The silent patch for CVE-2025-61884 further complicates timely defense. Organizations struggle to keep pace with both disclosed and undisclosed (zero-day) vulnerabilities in complex applications.
  3. Clop's Persistent Threat: Backed by significant resources (the US offers a $10M bounty for links to foreign governments), Clop demonstrates relentless focus on finding and weaponizing zero-days in file transfer and business management systems. Their shift to data exfiltration-only attacks often avoids immediate detection mechanisms targeting ransomware encryption.

While Envoy reports limited data exposure, the breach is a stark reminder that foundational business applications remain prime targets. The repeated success of Clop's model – find zero-day, mass exploit, extort – demands heightened scrutiny of third-party application security, accelerated patch cycles, and robust data exfiltration monitoring, especially for systems handling sensitive business operations. The skies for enterprise security, it seems, remain turbulent.

Source: Based on reporting by Lawrence Abrams at BleepingComputer.