Envoy Air (American Airlines) Confirms Oracle EBS 0-Day Breach Linked to Cl0p

Texas-based regional airline Envoy Air, the largest carrier operating under American Airlines, confirmed on October 17, 2025, that it fell victim to a recent wave of attacks targeting a zero-day vulnerability in a major corporate software application.

The hackers, a well-known ransomware group called CL0P (aka TA505/FIN11), targeted the Oracle E-Business Suite (EBS), which many global companies use to run their essential operations, like finances and manufacturing.

****A Coordinated Extortion Campaign****

This recent breach is directly tied to a massive, multi-stage extortion campaign that first came to light in early October 2025. The initial alarm was raised on or before September 29, 2025, when a high-volume email campaign began targeting company executives. Further probing revealed that a group claiming ties to CL0P was threatening to leak data allegedly stolen from Oracle EBS environments.

Hackread.com reported on October 3, 2025, that Mandiant (a Google Cloud company) and the Google Threat Intelligence Group (GTIG) were urgently investigating these threats. They noted that the contact email addresses used in the extortion messages matched those publicly listed on the CL0P data leak site, strongly suggesting an association with the notorious group.

The zero-day flaw (technically called CVE-2025-61882) was a critical security hole that allowed the attackers to take control of the system over the internet without needing a valid username or password.

****Envoy Air: Data Compromise and Warning****

Envoy Air stated that its investigation found no sensitive customer data was affected, and there was absolutely no impact on its flight or airport operations. The breach compromised only a limited amount of business information and commercial contact details.

It is worth noting that Envoy Air is the second major entity to confirm a compromise in this campaign, following Harvard University’s admission on October 13.

The broader nature of this campaign is concerning. The fact that the EBS flaw was actively exploited for nearly three months before Oracle released an emergency patch on October 4, 2025, is particularly worrying.

Also, the CL0P group had already listed American Airlines, the parent company of Envoy Air, on their dark web leak site on October 16, 2025. This was publicly referenced in an alert posted on X.com by @H4ckmanac, which read:

“#CLOP added American Airlines to their DLS, claiming they breached them through the Oracle E-Business Suite (EBS) zero-day and stole a significant amount of data.”

A screenshot from CL0P’s data leak site (DLS), listing American Airlines’ information as a victim

Experts advise all organisations using Oracle EBS to urgently install the security updates, including the emergency patch released on October 4, 2025, to close the door on this widespread threat.

****Expert Perspectives****

Shane Barney, Chief Information Security Officer at Keeper Security, weighed in on the Oracle EBS campaign, providing critical context on the risk to businesses, stating:

“When attackers exploit a vulnerability in a widely used platform, like the Oracle system involved here, they’re not just breaching one company; they’re creating a ripple effect across every organisation that relies on the same technology.” He concluded that “In today’s threat landscape, containment is just as important as prevention.”