Korean Air has disclosed a significant data breach affecting 30,000 employee records, facilitated through a third-party vendor, KC&D Service. The Clop ransomware group exploited a critical zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) to achieve unauthenticated remote code execution (RCE) and exfiltrate sensitive bank account details.
Business Impact
This incident highlights the extreme vulnerability of the aviation supply chain. Even if the primary organization is secure, a flaw in a subsidiary or vendor with privileged access can compromise the entire enterprise. This specific Oracle flaw is currently being used to target global logistics and manufacturing giants.
Why It Happened
The vulnerability in Oracle EBS allowed for a complex exploit chain involving SSRF and CRLF injection. Clop has specialized in “mass-exploitation” of enterprise software zero-days (similar to their MOVEit campaign) to maximize extortion leverage.
Recommended Executive Action
Immediately verify if any internal or vendor systems are running Oracle E-Business Suite. Apply the emergency patches released for CVE-2025-61882. For vendors, mandate a “Zero Trust” access model where third-party access is restricted to the absolute minimum required for their function.
Hashtags: #KoreanAir #ClopRansomware #OracleEBS #ZeroDay #SupplyChainAttack #AviationSecurity #InfoSec