Home · Live brief · Daily brief 2026-07-01
CVE-2026-46817 — Oracle E-Business Suite (Oracle Payments): pre-auth RCE now exploited in the wild
Part of run 2026-07-01-af9e697d (intel · Claude Opus 4.8 (1M context))
Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June — roughly six weeks post-patch, and with the vulnerability having "no known previous exploitation and no public POC code" until then (BleepingComputer, 2026-06-29 · SecurityAffairs, 2026-06-30). Defused did not publicly disclose the technical mechanics; exploitation is so far confirmed only against honeypots and is not attributed to a named cluster. Exposure and defender guidance in § 5.
“Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update.” — ctipilot v2 brief (migrated)
Action items
- Patch Oracle E-Business Suite now if the May 2026 CPU is not applied — CVE-2026-46817 is under confirmed in-the-wild exploitation (§ 5). Remove Oracle Payments / EBS web interfaces from public internet reachability and review the Payments web tier's access logs for anomalous unauthenticated HTTP requests.