2026-07-16 · view entry permalink →
CVE-2026-46817 — Oracle E-Business Suite (Payments): unauthenticated RCE now CISA KEV-listed after quiet in-the-wild exploitation (CVSS 9.8)
CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog on 15 July 2026, the first formal confirmation of active exploitation for a flaw Oracle patched without fanfare in its May 2026 Critical Patch Update (CISA, 2026-07-15). The bug sits in the File Transmission component of Oracle Payments — the payment-processing engine built into Oracle E-Business Suite — and Oracle characterises it as improper privilege management, improper authentication and missing authentication for a critical function that an unauthenticated attacker with HTTP network access can use to compromise and take over Oracle Payments (CVSS 9.8; Oracle CPU, 2026-05-28). Affected releases are EBS 12.2.3 through 12.2.15.
Threat-intelligence firm Defused recorded the first in-the-wild exploitation against its EBS honeypot decoys on 27 June 2026 — roughly six weeks after the patch and before any public proof-of-concept existed — as a single source running an unauthenticated file read against the Payments component rather than broad scanning (Help Net Security, 2026-06-30). The observed technique calls the ibytransmit endpoint in the File Transmission component, invoking an internal Oracle Java function directly and redirecting it to read /etc/passwd; the same primitive can be pointed at configuration files holding database credentials, encryption keys or payment-processor API keys (Help Net Security, 2026-06-30). This is the same EBS product family already under sustained ShinyHunters/UNC6240 extortion pressure and the latest in a now-annual cadence of critical, remotely exploitable EBS flaws.
On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle's May 2026 patch and before any public proof-of-concept existed.
The exploit targets the ibytransmit endpoint in Oracle Payments' File Transmission component, and calls an internal Oracle Java function directly, redirecting it to read a file (/etc/passwd) from the server.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.