American Airlines Subsidiary Hit by Clop Ransomware in Oracle Zero-Day Attack

Breached Company

17 Oct 2025 — 12 min read

Photo by Daniel Shapiro / Unsplash

Quick Facts

Victim: Envoy Air (American Airlines subsidiary)
Threat Actor: Clop ransomware gang (TA505/FIN11)
Attack Vector: Oracle E-Business Suite zero-day (CVE-2025-61882)
CVSS Score: 9.8 (Critical)
Attack Timeline: July-August 2025 (pre-patch exploitation)
Data Compromised: Limited business information and commercial contact details (no customer or sensitive data confirmed)
Pattern: Third Clop attack against American Airlines entities since 2023

Executive Summary

Envoy Air, a regional airline carrier owned by American Airlines, has confirmed it fell victim to a sophisticated cyberattack by the notorious Clop ransomware group. The breach, which occurred in August 2025, exploited a critical zero-day vulnerability in Oracle's E-Business Suite platform. While Clop listed "American Airlines" on its dark web leak site on October 16, 2025, the actual victim was Envoy Air, which operates regional flights under the American Eagle brand.

This marks the third time in two years that American Airlines entities have been targeted by Clop, following the 2023 MOVEit Transfer campaign that affected American Airlines directly, highlighting a concerning pattern of persistent attacks against the aviation giant.

The Attack: A Critical Zero-Day Exploitation

The Vulnerability

The attack leveraged CVE-2025-61882, a critical vulnerability with a CVSS score of 9.8 out of 10, affecting Oracle E-Business Suite versions 12.2.3 through 12.2.14. The flaw resides in the BI Publisher Integration component of Oracle Concurrent Processing and allows unauthenticated remote code execution, meaning attackers could exploit it over a network without needing usernames or passwords.

The exploit chain was particularly sophisticated, involving at least five distinct vulnerabilities orchestrated together, beginning with a Server-Side Request Forgery (SSRF) attack, followed by a Carriage Return/Line Feed (CRLF) injection to smuggle malicious requests.

Timeline of Events

June 2025: Dark web posts began advertising an Oracle EBS zero-day exploit for sale at approximately $70,000.

July-August 2025: The Clop threat actors exploited CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as August 9, 2025, with suspicious activity potentially dating back to July 10, 2025 — weeks before a patch was available.

September 29, 2025: Clop began sending high-volume extortion emails to executives at numerous organizations, alleging the theft of sensitive data from victims' Oracle E-Business Suite environments.

October 2, 2025: Oracle initially reported that threat actors may have exploited vulnerabilities patched in July 2025.

October 4, 2025: Oracle released an emergency patch for CVE-2025-61882 and published indicators of compromise after confirming active exploitation.

October 6, 2025: An exploit archive and partial Oracle source code were leaked by a group calling itself "Scattered Lapsus$ Hunters" on Telegram.

October 16, 2025: Clop posted American Airlines on its dark leak site, claiming "The company doesn't care about its customers, it ignored their security!!!"

October 17, 2025: Envoy Air confirmed the breach, stating that upon learning of the incident, they immediately began an investigation and contacted law enforcement.

Scale of the Campaign

This wasn't an isolated attack. While Clop wouldn't share how many companies were impacted, Google's John Hultquist indicated that they believe dozens of organizations were affected. Researchers found signs of Clop activity in Oracle customers' EBS environments since at least August, with Google's threat hunters suggesting the nefarious activity began a month earlier.

In some cases, the threat actors successfully exfiltrated significant amounts of data from impacted organizations.

Other Notable Victims

Harvard University was also extorted as part of this same data theft campaign. The university confirmed to BleepingComputer that the incident impacts "a limited number of parties associated with a small administrative unit."

Data Compromised at Envoy Air

Envoy Air stated that a thorough review confirmed no sensitive or customer data was affected, with only a limited amount of business information and commercial contact details potentially compromised. However, Clop is now leaking what they claim to be stolen data from Envoy on its data leak site.

About Envoy Air

Envoy Air is one of American Airlines' largest regional carriers, with hubs in nearly a dozen major US cities, including Boston, Chicago, Los Angeles, Miami, Phoenix, New York City, and its home base in Dallas-Fort Worth. While it functions as a separate company, it is integrated into American's network for ticketing, scheduling, and passenger service.

The Clop Ransomware Group

The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in 2019 when it began breaching corporate networks to deploy a variant of the CryptoMix ransomware and steal data. Since 2020, the extortion gang shifted from primarily ransomware to exploiting zero-day vulnerabilities in secure file transfer or data storage platforms to steal data.

Notable Previous Clop Campaigns

The group has a history of large-scale zero-day exploitations:

2020: Exploiting a zero-day in the Accellion FTA platform, affecting nearly 100 organizations
2021: Exploiting a zero-day in SolarWinds Serv-U FTP software
2023: Exploiting a zero-day in GoAnywhere MFT, breaching over 100 companies
2023: The MOVEit Transfer zero-day was Clop's most extensive campaign to date, allowing data theft from 2,773 organizations worldwide (including American Airlines)
2024: Exploited two Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) to steal data and extort companies

The U.S. State Department currently offers a $10 million reward for information linking Clop's ransomware activities to a foreign government.

Technical Details of the Attack

How the Exploit Worked

The vulnerability lies in the BI Publisher Integration component of Oracle's Concurrent Processing module. It allows unauthenticated attackers to send specially crafted HTTP requests that lead to remote code execution on the affected server.

The attack sequence involved:

Sending an HTTP POST request with crafted XML to force the backend server to send arbitrary HTTP requests via Server-Side Request Forgery
Using CRLF injection to inject arbitrary headers into the HTTP request
Smuggling requests to an internet-exposed Oracle EBS application
Loading a malicious XSLT template containing code that executes when the system attempts to preview it

Indicators of Compromise

Oracle shared indicators of compromise for the zero-day exploitation, including two IP addresses seen exploiting servers, commands to open remote shells, and the exploit archive and associated files.

Response and Recommendations

Oracle's Response

Oracle released emergency patches on October 4, 2025, for CVE-2025-61882, and then on October 11 released another patch addressing CVE-2025-61884, a related vulnerability. Oracle noted that the October 2023 Critical Patch Update is a prerequisite to apply the latest updates.

CVE-2025-61884: The Second Zero-Day

Last week, Oracle silently patched another E-Business Suite zero-day tracked as CVE-2025-61884 without initially disclosing that it was actively exploited in July 2025. This vulnerability, affecting the Runtime UI component and receiving a CVSS score of 7.5, can be exploited remotely without authentication and "may allow access to sensitive resources," according to Oracle's advisory.

This second zero-day is linked to an exploit leaked by the Shiny Lapsus$ Hunters extortion group on Telegram, suggesting a complex web of threat actors involved in or aware of the Oracle EBS vulnerabilities.

Government Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for immediate action due to its use in ransomware campaigns. CISA urged federal agencies to apply the fixes by October 27, 2025.

Security Recommendations

Mandiant and Google provided the following critical recommendations:

Apply emergency patches immediately: Prioritize application of Oracle EBS patches released on October 4, 2025
Hunt for malicious templates: Query the XDO_TEMPLATES_B and XDO_LOBS tables to identify malicious templates, reviewing any where TEMPLATE_CODE begins with TMP or DEF
Restrict outbound internet access: The observed payloads require outbound connections to command-and-control servers
Review application logs: Check for exploitation targeting /OA_HTML/configurator/UiServlet dating back to July 2025

Industry Impact

Security experts noted that large-scale zero-day campaigns like this are becoming a regular feature of cybercrime, with Google's chief threat analyst John Hultquist stating: "Some historic Clop data extortion campaigns have had hundreds of victims. Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime."

Jake Knott, principal security researcher at watchTowr, warned: "If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls — fast."

Additional Context: Aviation Industry Under Siege

The Envoy Air breach comes amid a broader wave of cyberattacks targeting the aviation industry. In 2023, the American Airlines pilot union was hit with ransomware, affecting more than 15,000 pilots. The incident underscores the aviation sector's increasing vulnerability to sophisticated cyberattacks.

American Airlines' History with Clop: The 2023 MOVEit Breach

This is not American Airlines' first encounter with the Clop ransomware group. In 2023, American Airlines was among the victims of Clop's massive MOVEit Transfer zero-day campaign — the gang's most extensive operation to date.

The MOVEit campaign began on May 27, 2023, when Clop exploited a SQL injection zero-day vulnerability (CVE-2023-34362) in Progress Software's widely-used MOVEit Transfer file transfer software. The attacks appeared to have occurred primarily on May 30 and May 31, 2023, with Progress releasing a patch on May 31.

Scale of the 2023 MOVEit Breach: By the end of June 2023, over 130 organizations and government bodies were confirmed impacted, affecting at least 15 million individuals. The total victim count eventually reached 2,773 organizations worldwide.

Clop began posting victims to its data leak site on June 14, 2023, with American Airlines appearing among the listed victims alongside other major corporations including Shell, Siemens Energy, Schneider Electric, Sony, PricewaterhouseCoopers (PwC), Ernst & Young (EY), British Airways, and numerous government agencies.

Impact on Airlines: The aviation sector was particularly affected, with American Airlines joined by fellow carriers Allegiant Air in the list of confirmed victims. Both airlines were posted to Clop's leak site, typically indicating the victims declined to pay a ransom.

Third-Party Breach: Pilot Credentials (April 2023)

Additionally, in April 2023 — just weeks before the MOVEit campaign — American Airlines disclosed another data breach, this time at a third-party vendor called Pilot Credentials that managed pilot recruitment portals. That separate incident affected 5,745 pilots and pilot candidates, exposing names, dates of birth, Social Security Numbers, passport numbers, driver's license numbers, and Airman Certificate numbers. Southwest Airlines was also affected by the same vendor breach, with 3,009 individuals impacted.

Additional Data Breaches (2022-2023)

American Airlines previously suffered other data breaches in 2022 and 2023 that exposed employees' personal information, separate from the Clop attacks and vendor breaches.

Pattern of Targeting

The fact that American Airlines entities have now been targeted by Clop three times in two years — the 2023 MOVEit breach (American Airlines), the 2023 Pilot Credentials vendor breach (American Airlines), and the 2025 Oracle EBS breach (Envoy Air) — demonstrates both the aviation industry's attractiveness as a target and the persistent threat posed by sophisticated ransomware groups like Clop.

Conclusion

The Envoy Air breach — combined with American Airlines' victimization in the 2023 MOVEit campaign — represents a concerning pattern that highlights several critical issues in modern cybersecurity:

Repeat targeting: American Airlines entities have been targeted by Clop three times in two years, demonstrating persistent threat actor interest in the aviation sector
Zero-day vulnerabilities remain a primary weapon for sophisticated threat actors like Clop, who continue to find and exploit critical flaws in widely-used enterprise software
Enterprise software supply chains create widespread exposure when critical vulnerabilities are discovered, as seen with both MOVEit and Oracle EBS
Speed matters: In both campaigns, Clop had months of undetected access before vulnerabilities were patched (2-3 months for Oracle EBS, at least 2 years for MOVEit)
Aviation industry targeting continues to escalate, with multiple carriers affected by various threat actors across different campaigns

For organizations running Oracle E-Business Suite — or any widely-deployed enterprise software — this incident serves as an urgent reminder to maintain rigorous patch management practices, implement comprehensive monitoring, and prepare incident response plans for zero-day scenarios. The aviation industry, in particular, must recognize its status as a high-value target and invest accordingly in cybersecurity defenses.

Status: Investigation ongoing. Organizations are advised to review Oracle security advisories and implement recommended patches immediately.

For more information:

Oracle Security Alert Advisory: CVE-2025-61882
CISA Known Exploited Vulnerabilities Catalog
Google Threat Intelligence Group Blog