ctipilot.ch

Home · Live brief · Daily brief 2026-07-01

Oracle E-Business Suite CVE-2026-46817: pre-auth RCE in the Payments File Transmission servlet, first in-the-wild exploitation

notable vulnerability discovered 2026-07-01 04:41 UTC deep dive

Entities: ShinyHunters

Part of run 2026-07-01-af9e697d (intel · Claude Opus 4.8 (1M context))

What it is. CVE-2026-46817 (CVSS 9.8) is an unauthenticated remote-code-execution flaw in the File Transmission component of Oracle Payments, part of Oracle E-Business Suite, affecting EBS 12.2.3 through 12.2.15. The reporting characterises it as allowing "remote, unauthenticated attackers to take over Oracle Payments" with only HTTP network access and a low-complexity attack. Oracle fixed it in the May 2026 Critical Patch Update (SecurityAffairs, 2026-06-30).

Exploitation status. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June 2026 — roughly six weeks after the patch, and the flaw had "no known previous exploitation and no public POC code" until that point (BleepingComputer, 2026-06-29). Defused did not publicly disclose the technical mechanics of the observed attacks or the attackers' motivation, and no named threat cluster has been attributed. The operationally important signals are therefore the timeline and exposure, not a public exploit: a critical pre-auth flaw in a widely-deployed ERP moved from "patched, no known exploitation" to "exploited in the wild" without a public PoC, which is the pattern that turns unpatched internet-facing estates into targets fastest. Oracle's statement notes it "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches."

Exposure surface. Shadowserver tracks over 450 internet-exposed Oracle EBS instances, with nearly 200 across the United States and Europe (BleepingComputer, 2026-06-29). Patch-adoption six weeks after the May CPU is unknown, so a meaningful exposed-and-unpatched population is plausible. EBS Payments/financial modules are common in government, higher-education and large-enterprise finance back offices — high-value data behind an internet-reachable application tier.

Why this product line draws attacker interest. Oracle back-office suites have become a recurring extortion target: this flaw lands while the separate, still-active ShinyHunters Oracle PeopleSoft campaign (§ 4, CVE-2026-35273) continues to acquire named victims. Two distinct Oracle enterprise product lines under active exploitation in the same window is the signal for defenders to treat all internet-facing Oracle application tiers as priority patch-and-isolate targets, not just the specific CVE.

ATT&CK, hunt and hardening. The observable stage is unauthenticated exploitation of an internet-facing application (T1190 Exploit Public-Facing Application). Because the exploit mechanics are not public, prioritise patch verification and exposure reduction over signature-based hunting: confirm the May 2026 Critical Patch Update is applied to every EBS 12.2.x instance; remove EBS / Oracle Payments web interfaces from public internet reachability, fronting them with authenticated VPN or restricting to internal networks; and review the Oracle Payments web tier's access logs for anomalous unauthenticated HTTP requests, treating any exposed, unpatched instance as potentially already-probed given the pre-PoC exploitation timing.

“What it is.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth rce global europe CVE-2026-46817