CVE-2026-46817: Active Exploitation Against ~950 Internet-Exposed Oracle E-Business Suite Payments Instances — Threadlinqs Intelligence
Threat ID: TL-2026-1073 · Severity: CRITICAL · CVSS: 9.8 · Status: ACTIVE · Category: VULNERABILITY
A critical (CVSS 9.8) unauthenticated remote takeover flaw in the File Transmission component of Oracle Payments (Oracle E-Business Suite 12.2.3-12.2.15) is under active in-the-wild exploitation.
CVE-2026-46817 is an improper privilege management / missing authentication for a critical function vulnerability (CWE-306, CWE-287) in the File Transmission sub-component of the Oracle Payments product within Oracle E-Business Suite (EBS). It affects EBS versions 12.2.3 through 12.2.15. The flaw allows an unauthenticated attacker with network access via HTTP to fully compromise Oracle Payments (confidentiality, integrity, and availability) with low attack complexity and no user interaction, via crafted requests to the iPayment file transmission endpoint /OA_HTML/ibytransmit.
Oracle patched the vulnerability in its May 2026 Critical Security Patch Update (CSPU), released May 28, 2026, with a supplementary June 2026 CSPU released June 16, 2026. On June 27-28, 2026 -- roughly four weeks after the patch and before any public proof-of-concept existed -- threat-intelligence firm Defused observed the first in-the-wild exploitation attempts on its Oracle EBS honeypot infrastructure. The captured traffic consisted of POST requests to /OA_HTML/ibytransmit carrying a crafted XML DeliveryRequest payload using the CODEX_PULL transmission scheme, with the FULL_FILE_PATH parameter set to /etc/passwd -- a classic local file read / path traversal exploitation pattern used to exfiltrate sensitive server files (and potentially database credentials, encryption keys, or payment processor API keys from EBS configuration files). The observed source IP, 45.84.137.125, resolves to AS136787 (PacketHub S.A., France), though researchers assessed the attacker was routing traffic through a VPN/proxy to obscure true origin. Requests used the identifying User-Agent string ibytransmit-lab-poc/1.0 and targeted HTTPS/443.
Defused's broader monitoring recorded 456 exploitation attempts against monitored honeypots in a single 24-hour window (June 28, 2026), distributed globally: North America (193), Asia (181), Europe (53), South America (18), Africa (9), Oceania (2) -- indicating the activity had shifted from a single targeted proof-of-concept probe to broader opportunistic scanning within roughly 24 hours.
Separately, the Shadowserver Foundation, working with Validin LLC, enhanced its Oracle EBS internet-exposure fingerprinting by adding domain-based scanning to its existing IP-based fingerprinting methodology. This identified approximately 950 (reported as 'over 900') internet-accessible Oracle EBS instances globally, more than half based in the United States, representing organizations running finance, supply chain, HR, and back-office systems that are potentially vulnerable to CVE-2026-46817 if unpatched. Shadowserver published its findings via its public dashboard and social channels on July 1, 2026.
This incident follows a pattern of prior critical unauthenticated RCE flaws in Oracle EBS being weaponized rapidly after patch release -- most notably CVE-2025-61882, exploited by the Cl0p ransomware/extortion group in August 2025 for mass data-theft extortion campaigns against EBS customers. While no attribution to a named threat actor or group has been established for CVE-2026-46817 exploitation as of this report, the honeypot-observed activity progressing from a single targeted PoC-style probe to widespread scanning within a day is consistent with either a researcher/red-team validating exploitation feasibility or an early-stage opportunistic threat actor preparing for a larger campaign (potentially including ransomware/extortion operators who have previously targeted this exact product line).
Weaknesses (CWE)
CWE-306, CWE-287, CWE-284, CWE-269
Target sectors: finance, supply-chain, human-resources, manufacturing, retail, government administration, back-office-operations
Target regions: North America, Europe, Asia, 005 - South America, Africa, Oceania
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 17 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2026-46817, T1595, T1592, T1587, T1583, T1190, T1203, T1090, T1211, T1552, T1083