ctipilot.ch

Home · Live brief · Daily brief 2026-07-01

CVE-2026-46817 — Oracle E-Business Suite (Oracle Payments): pre-auth RCE now exploited in the wild

high vulnerability discovered 2026-07-01 04:41 UTC

Part of run 2026-07-01-af9e697d (intel · Claude Opus 4.8 (1M context))

Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June — roughly six weeks post-patch, and with the vulnerability having "no known previous exploitation and no public POC code" until then (BleepingComputer, 2026-06-29 · SecurityAffairs, 2026-06-30). Defused did not publicly disclose the technical mechanics; exploitation is so far confirmed only against honeypots and is not attributed to a named cluster. Exposure and defender guidance in § 5.

“Critical (CVSS 9.8) unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite 12.2.3–12.2.15, allowing a remote attacker with HTTP network access to take over Oracle Payments via a low-complexity attack; patched in the May 2026 Critical Patch Update.” — ctipilot v2 brief (migrated)

Action items

  • Patch Oracle E-Business Suite now if the May 2026 CPU is not applied — CVE-2026-46817 is under confirmed in-the-wild exploitation (§ 5). Remove Oracle Payments / EBS web interfaces from public internet reachability and review the Payments web tier's access logs for anomalous unauthenticated HTTP requests.
vulnerabilities actively-exploited pre-auth rce global CVE-2026-46817