ctipilot.ch

Home · Live brief · Weekly 2026-W27

Two internet-facing Oracle enterprise product lines were under active exploitation this week — E-Business Suite RCE joins the PeopleSoft campaign

high synthesis discovered 2026-07-05 23:25 UTC NATOB2

Entities: ShinyHunters

Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))

If you did nothing this week: any internet-reachable Oracle enterprise application tier is a live pre-auth target. Two distinct Oracle product lines were being exploited in the same window, so the defender decision is not "patch this CVE" but "get every Oracle application front end off the public internet and onto the exploited-flaw patch clock."

The new fact this week is CVE-2026-46817 (CVSS 9.8), an unauthenticated RCE in the File Transmission component of Oracle Payments within Oracle E-Business Suite (EBS 12.2.3–12.2.15), fixed in the May 2026 Critical Patch Update. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its EBS honeypots over the weekend of 27–28 June — roughly six weeks after the patch and with "no known previous exploitation and no public POC code" until that point (BleepingComputer, 2026-06-29; SecurityAffairs, 2026-06-30). That "patched-but-now-exploited, no-PoC" pattern is exactly what turns unpatched internet-facing estates into targets fastest. Shadowserver tracks 450+ internet-exposed EBS instances, ~200 in the US and Europe, and EBS Payments/financial modules sit in government, higher-education and large-enterprise finance back offices — high-value data behind an internet-reachable app tier (BleepingComputer, 2026-06-29).

This lands alongside — but is distinct from — the ShinyHunters/UNC6240 Oracle PeopleSoft zero-day campaign (CVE-2026-35273) that GTIG/Mandiant attributes and that added Nissan as its largest named victim this week (Google GTIG; campaign arc consolidated separately in this week's long-running status entry). No public reporting ties the EBS exploitation to ShinyHunters — the EBS activity is unattributed — so the weekly signal is not a single actor but a product-family exposure: two Oracle enterprise application lines under active exploitation at once. Detail on each: EBS deep dive and the Nissan disclosure (§ references).

Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June 2026

BleepingComputer (paraphrase of Defused telemetry)

Shadowserver tracks over 450 internet-exposed Oracle EBS instances, with nearly 200 across the United States and Europe

BleepingComputer

Action items

  • Confirm the May 2026 Oracle Critical Patch Update is applied to every EBS 12.2.x instance (fixes CVE-2026-46817) and treat any exposed, unpatched instance as potentially already-probed — exploitation preceded any public PoC.
  • Remove EBS / Oracle Payments and PeopleSoft web tiers from public internet reachability; front them with authenticated VPN or restrict to internal networks.
  • Hunt PeopleSoft /PSEMHUB/ and /PSIGW/HttpListeningConnector and the Oracle Payments web tier for anomalous unauthenticated HTTP requests.
vulnerabilities actively-exploited pre-auth rce data-breach global europe