CVE-2026-46817 — Oracle E-Business Suite (Payments): unauthenticated RCE now CISA KEV-listed after quiet in-the-wild exploitation (CVSS 9.8)
CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog on 15 July 2026, the first formal confirmation of active exploitation for a flaw Oracle patched without fanfare in its May 2026 Critical Patch Update (CISA, 2026-07-15). The bug sits in the File Transmission component of Oracle Payments — the payment-processing engine built into Oracle E-Business Suite — and Oracle characterises it as improper privilege management, improper authentication and missing authentication for a critical function that an unauthenticated attacker with HTTP network access can use to compromise and take over Oracle Payments (CVSS 9.8; Oracle CPU, 2026-05-28). Affected releases are EBS 12.2.3 through 12.2.15.
Threat-intelligence firm Defused recorded the first in-the-wild exploitation against its EBS honeypot decoys on 27 June 2026 — roughly six weeks after the patch and before any public proof-of-concept existed — as a single source running an unauthenticated file read against the Payments component rather than broad scanning (Help Net Security, 2026-06-30). The observed technique calls the ibytransmit endpoint in the File Transmission component, invoking an internal Oracle Java function directly and redirecting it to read /etc/passwd; the same primitive can be pointed at configuration files holding database credentials, encryption keys or payment-processor API keys (Help Net Security, 2026-06-30). This is the same EBS product family already under sustained ShinyHunters/UNC6240 extortion pressure and the latest in a now-annual cadence of critical, remotely exploitable EBS flaws.
On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle's May 2026 patch and before any public proof-of-concept existed.
The exploit targets the ibytransmit endpoint in Oracle Payments' File Transmission component, and calls an internal Oracle Java function directly, redirecting it to read a file (/etc/passwd) from the server.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
Defender actions
- Apply Oracle's May 2026 Critical Patch Update to every Oracle E-Business Suite 12.2.3–12.2.15 instance now; until patched, remove the EBS web tier (Oracle Payments) from public internet exposure.
- Treat any internet-facing EBS instance left unpatched since 2026-05-28 as potentially compromised — review web-access logs for POST requests to /OA_HTML/ibytransmit and, on any hit, run a forensic review and rotate every credential/key stored on that host.
ATT&CK mapping
1 technique mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.