ctipilot.ch

Oracle E-Business Suite / Oracle Payments File Transmission unauthenticated RCE/takeover (CVSS 9.8); CISA KEV 2026-07-15, exploited ITW since 2026-06-27; fixed Oracle May 2026 CPU (12.2.3-12.2.15)

cve · CVE-2026-46817

Coverage timeline
3
first 2026-06-01 → last 2026-07-16
Peak priority
high
2 high · 1 notable
Sources cited
6
6 hosts
Sections touched
2
deep-dive, trending-vulnerabilities
Co-occurring entities
1
see Related entities below
ATT&CK techniques
1
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Oracle E-Business SuiteOracle Payments

ATT&CK techniques

1 technique observed across 2 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×2

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-16/cve-2026-46817-oracle-ebs-payments-preauth-rce-kev-listed · 2026-07-01/oracle-e-business-suite-cve-2026-46817-pre-auth-rce-in-the-p · ATT&CK page ↗

Story timeline

  1. 2026-07-16CVE-2026-46817 — Oracle E-Business Suite (Payments): unauthenticated RCE now CISA KEV-listed after quiet in-the-wild exploitation (CVSS 9.8)
    trending-vulnerabilitiesOracle E-Business Suite Payments pre-auth takeover (CVE-2026-46817) confirmed exploited and KEV-listed — patch or pull exposed instances off the internet
  2. 2026-07-01Oracle E-Business Suite CVE-2026-46817: pre-auth RCE in the Payments File Transmission servlet, first in-the-wild exploitation
    deep-dive
  3. 2026-07-01CVE-2026-46817 — Oracle E-Business Suite (Oracle Payments): pre-auth RCE now exploited in the wild
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities2
  • deep-dive1

Source distribution

  • attack.mitre.org1 (17%)
  • bleepingcomputer.com1 (17%)
  • cisa.gov1 (17%)
  • helpnetsecurity.com1 (17%)
  • oracle.com1 (17%)
  • securityaffairs.com1 (17%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Oracle E-Business Suite / Oracle Payments File Transmission unauthenticated RCE/takeover (CVSS 9.8); CISA KEV 2026-07-15, exploited ITW since 2026-06-27; fixed Oracle May 2026 CPU (12.2.3-12.2.15) (3)

2026-07-16 · view entry permalink →

HIGHCVE-2026-46817exploitedNATOA1

CVE-2026-46817 — Oracle E-Business Suite (Payments): unauthenticated RCE now CISA KEV-listed after quiet in-the-wild exploitation (CVSS 9.8)

CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog on 15 July 2026, the first formal confirmation of active exploitation for a flaw Oracle patched without fanfare in its May 2026 Critical Patch Update (CISA, 2026-07-15). The bug sits in the File Transmission component of Oracle Payments — the payment-processing engine built into Oracle E-Business Suite — and Oracle characterises it as improper privilege management, improper authentication and missing authentication for a critical function that an unauthenticated attacker with HTTP network access can use to compromise and take over Oracle Payments (CVSS 9.8; Oracle CPU, 2026-05-28). Affected releases are EBS 12.2.3 through 12.2.15.

Threat-intelligence firm Defused recorded the first in-the-wild exploitation against its EBS honeypot decoys on 27 June 2026 — roughly six weeks after the patch and before any public proof-of-concept existed — as a single source running an unauthenticated file read against the Payments component rather than broad scanning (Help Net Security, 2026-06-30). The observed technique calls the ibytransmit endpoint in the File Transmission component, invoking an internal Oracle Java function directly and redirecting it to read /etc/passwd; the same primitive can be pointed at configuration files holding database credentials, encryption keys or payment-processor API keys (Help Net Security, 2026-06-30). This is the same EBS product family already under sustained ShinyHunters/UNC6240 extortion pressure and the latest in a now-annual cadence of critical, remotely exploitable EBS flaws.

On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle's May 2026 patch and before any public proof-of-concept existed.

Help Net Security (citing Defused) 2026-06-30

The exploit targets the ibytransmit endpoint in Oracle Payments' File Transmission component, and calls an internal Oracle Java function directly, redirecting it to read a file (/etc/passwd) from the server.

Help Net Security

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CISA 2026-07-15
vulnerability16 Jul 04:35Zmulti-sourceOpen finding ↗

2026-07-01 · view entry permalink →

NOTABLECVE-2026-46817exploited

Oracle E-Business Suite CVE-2026-46817: pre-auth RCE in the Payments File Transmission servlet, first in-the-wild exploitation

What it is. CVE-2026-46817 (CVSS 9.8) is an unauthenticated remote-code-execution flaw in the File Transmission component of Oracle Payments, part of Oracle E-Business Suite, affecting EBS 12.2.3 through 12.2.15. The reporting characterises it as allowing "remote, unauthenticated attackers to take over Oracle Payments" with only HTTP network access and a low-complexity attack. Oracle fixed it in the May 2026 Critical Patch Update (SecurityAffairs, 2026-06-30).

Exploitation status. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June 2026 — roughly six weeks after the patch, and the flaw had "no known previous exploitation and no public POC code" until that point (BleepingComputer, 2026-06-29). Defused did not publicly disclose the technical mechanics of the observed attacks or the attackers' motivation, and no named threat cluster has been attributed. The operationally important signals are therefore the timeline and exposure, not a public exploit: a critical pre-auth flaw in a widely-deployed ERP moved from "patched, no known exploitation" to "exploited in the wild" without a public PoC, which is the pattern that turns unpatched internet-facing estates into targets fastest. Oracle's statement notes it "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches."

Exposure surface. Shadowserver tracks over 450 internet-exposed Oracle EBS instances, with nearly 200 across the United States and Europe (BleepingComputer, 2026-06-29). Patch-adoption six weeks after the May CPU is unknown, so a meaningful exposed-and-unpatched population is plausible. EBS Payments/financial modules are common in government, higher-education and large-enterprise finance back offices — high-value data behind an internet-reachable application tier.

Why this product line draws attacker interest. Oracle back-office suites have become a recurring extortion target: this flaw lands while the separate, still-active ShinyHunters Oracle PeopleSoft campaign (§ 4, CVE-2026-35273) continues to acquire named victims. Two distinct Oracle enterprise product lines under active exploitation in the same window is the signal for defenders to treat all internet-facing Oracle application tiers as priority patch-and-isolate targets, not just the specific CVE.

ATT&CK, hunt and hardening. The observable stage is unauthenticated exploitation of an internet-facing application (T1190 Exploit Public-Facing Application). Because the exploit mechanics are not public, prioritise patch verification and exposure reduction over signature-based hunting: confirm the May 2026 Critical Patch Update is applied to every EBS 12.2.x instance; remove EBS / Oracle Payments web interfaces from public internet reachability, fronting them with authenticated VPN or restricting to internal networks; and review the Oracle Payments web tier's access logs for anomalous unauthenticated HTTP requests, treating any exposed, unpatched instance as potentially already-probed given the pre-PoC exploitation timing.

What it is.

ctipilot v2 brief (migrated)
vulnerability01 Jul 04:41Zmulti-sourceOpen finding ↗

2026-07-01 · view entry permalink →

HIGHCVE-2026-46817exploited

CVE-2026-46817 — Oracle E-Business Suite (Oracle Payments): pre-auth RCE now exploited in the wild

Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June — roughly six weeks post-patch, and with the vulnerability having "no known previous exploitation and no public POC code" until then (BleepingComputer, 2026-06-29 · SecurityAffairs, 2026-06-30). Defused did not publicly disclose the technical mechanics; exploitation is so far confirmed only against honeypots and is not attributed to a named cluster. Exposure and defender guidance in § 5.

Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update.

ctipilot v2 brief (migrated)
vulnerability01 Jul 04:41Zmulti-sourceOpen finding ↗