Home · Briefs · CTI Daily Brief — 2026-07-01
CVE-2026-46817 — Oracle E-Business Suite (Oracle Payments): pre-auth RCE now exploited in the wild
From CTI Daily Brief — 2026-07-01 · published 2026-07-01
Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June — roughly six weeks post-patch, and with the vulnerability having "no known previous exploitation and no public POC code" until then (BleepingComputer, 2026-06-29 · SecurityAffairs, 2026-06-30). Defused did not publicly disclose the technical mechanics; exploitation is so far confirmed only against honeypots and is not attributed to a named cluster. Exposure and defender guidance in § 5.