Envoy Air Investigates Hack Exploiting Oracle Software

The Clop Ransomware Campaign

The regional American airline became the second company to publicly confirm that information was stolen by hackers who breached their Oracle E-Business Suite application. The Clop ransomware gang exploited a zero-day vulnerability tracked as CVE-2025-61882 in Oracle’s E-Business Suite platform, successfully chaining together multiple distinct vulnerabilities to gain unauthenticated Remote Code Execution (RCE).

Experts at Google reported on October 9th that “mass amounts of customer data” had been stolen in an operation that may have commenced as early as three months prior. This suggests a highly coordinated and sustained attack campaign. Harvard University also confirmed that it was attacked in a similar fashion earlier this week, according to cybersecurity news outlet The Record.

Impact on Envoy Air Operations

An Envoy spokesperson confirmed that upon learning of the matter, the company immediately began an investigation and contacted law enforcement. After conducting a thorough review of the data at issue, they confirmed no sensitive or customer data was affected. However, “a limited amount of business information and commercial contact details may have been compromised”.

The breach did not touch any American Airlines IT environments or data, nor did it impact Envoy’s flight or airport ground handling operations. Envoy Air operates more than 160 aircraft on 875 daily flights to over 160 destinations under the American Eagle brand, with more than 20,000 employees.

Understanding the Vulnerability

Google threat researchers revealed that the Clop ransom gang likely began its exploit campaign back in July 2025, giving criminals a three-month head start on defenders. The vulnerability in Oracle’s E-Business Suite, which allows clients to manage customers, suppliers, manufacturing, logistics, and other business processes, proved particularly dangerous due to its ability to enable unauthenticated remote code execution.

Oracle later pushed another emergency patch for a second vulnerability tracked as CVE-2025-61884, which received a CVSS score of 7.5 and affects the Runtime UI component. This indicates the ongoing nature of the threat and the need for continuous vigilance.

The Broader Threat Landscape

The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in 2019 and has since shifted from primarily ransomware to exploiting zero-day vulnerabilities in secure file transfer or data storage platforms to steal data. Their history includes major attacks exploiting zero-days in the Accellion FTA platform in 2020 and the MOVEit file transfer software.

Incident responders at Mandiant previously said they are aware of dozens of victims, but “expect there are many more”, suggesting the true scale of this campaign may be significantly larger than currently known.

Recommended Security Measures

The attack on Envoy Air highlights the need for organizations to prioritize the security of their Oracle E-Business Suite applications. Critical steps include:

• Implementing the latest Oracle security patches immediately
• Configuring Oracle E-Business Suite securely with proper access controls
• Regularly monitoring for suspicious activity and unauthorized access attempts
• Implementing multi-factor authentication for all administrative access
• Conducting regular security audits of enterprise software systems
• Establishing incident response plans to effectively manage cyberattacks

Looking Ahead

The cybersecurity landscape is constantly evolving, and organizations must stay ahead of the curve to protect themselves from emerging threats. This requires ongoing investment in security technologies, employee training, and threat intelligence. Organizations should remain vigilant as the Clop group continues its extortion campaign and new victims are identified.