American Airlines Subsidiary Breached Via Oracle Zero-Day Exploit

Envoy Air, the largest regional carrier for American Airlines, has confirmed a data breach tied to a cyberattack campaign exploiting Oracle’s E-Business Suite (EBS). The incident is part of a broader effort by the Cl0p extortion gang, which has claimed responsibility for compromising dozens of organizations through a zero-day vulnerability in Oracle’s widely used enterprise software.

Although Cl0p initially listed American Airlines on its dark web leak site, investigations confirmed the target was actually Envoy’s Oracle EBS instance.

The attackers have since published over 26GB of allegedly stolen data.

Envoy maintains that sensitive customer and employee information was not affected, with only a small amount of business records and commercial contact details potentially compromised.

Why It Matters: This breach demonstrates how deeply embedded enterprise software vulnerabilities can serve as force multipliers for cybercriminal campaigns. Rather than targeting organizations individually, threat actors are increasingly exploiting core business systems shared across sectors, turning trusted infrastructure into attack surfaces with global reach.

• Breach Originated in Oracle EBS, Not Airline IT Systems: Envoy Air clarified that the data compromise was limited to its Oracle EBS environment, which handles back-office business functions. The inclusion of American Airlines on Cl0p’s leak site caused confusion, but there is no evidence that customer-facing or flight operation systems were affected. Envoy operates over 800 flights daily to more than 160 destinations under the American Eagle brand.

• Cl0p Launched a Coordinated Attack Using Oracle Zero-Day: The attack is part of a coordinated campaign that began in August 2025. After breaching vulnerable Oracle EBS systems, Cl0p began emailing extortion demands in September. Organizations that refused to pay are being listed on Cl0p’s Tor-hosted leak site, with stolen data published in stages to increase pressure.

• CVE-2025-61882 Identified as the Main Entry Point: Oracle initially suggested that known vulnerabilities patched in July were exploited. Later, it acknowledged that attackers had used an unpatched zero-day, CVE-2025-61882, as the main entry point. A second vulnerability, CVE-2025-61884, was quietly patched by Oracle, though it’s unclear if it was also exploited in the campaign. The delay in public disclosure has drawn criticism.

• Universities and Industrial Firms Also Affected: Envoy Air is one of several confirmed victims. Harvard University acknowledged a breach involving a small administrative unit. South Africa’s University of the Witwatersrand also confirmed it was targeted and is currently assessing the impact. Industrial giant Emerson is listed on Cl0p’s site as well, though no stolen data has been published at the time of writing.

• Cl0p’s Evolving Tactics Reflect Broader Threat Trends: Previously known for ransomware deployment, Cl0p (also tracked as FIN11 and TA505) has increasingly pivoted to exploiting zero-day vulnerabilities in core software platforms. Past attacks have included breaches via Accellion, MOVEit Transfer, GoAnywhere MFT, and Cleo file transfer systems. These campaigns have allowed Cl0p to steal data at scale without needing to encrypt systems, making extortion quieter, but no less damaging.

Go Deeper -> American Airlines Subsidiary Envoy Air Hit by Oracle Hack – SecurityWeek

American Airlines subsidiary Envoy confirms Oracle data theft attack – Bleeping Computer