Under Fire: Critical Oracle E-Business Suite Payments Flaw (CVE-2026-46817) Actively Exploited in the Wild
Executive Summary
A critical security vulnerability in Oracle E-Business Suite (EBS) is currently under active exploitation by cybercriminals. Tracked as CVE-2026-46817 with a maximum Common Vulnerability Scoring System (CVSS) severity rating of 9.8, the defect resides in the File Transmission component of the Oracle Payments module. First patched in Oracle’s late May 2026 Critical Patch Update (CPU), threat intelligence decoy networks captured the first in-the-wild exploitation attempts over the weekend of June 27, 2026, before any public proof-of-concept (PoC) exploit code had been released. Web administrators running Oracle EBS are urged to apply immediately available security updates to prevent unauthorized takeover of payment workflows.
Technical Deep-Dive
Oracle Payments functions as the payment-processing engine built into Oracle’s E-Business Suite, centralizing how corporate finance applications send and receive payments through banking networks and card processors.
The vulnerability, CVE-2026-46817, represents a critical flaw in the File Transmission component, specifically targeting the /OA_HTML/ibytransmit endpoint. The root cause of the vulnerability stems from:
1. Improper Privilege Management: The endpoint lacks appropriate role-based permission checks.
2. Missing Authentication for Critical Functions: Unauthenticated remote attackers can query the endpoint directly over HTTP.
According to threat intelligence telemetry from Defused, threat actors are leveraging this flaw to perform unauthenticated file-read operations. Specifically, attackers call the internal Oracle Java function directly through the ibytransmit endpoint and redirect it to retrieve sensitive system files, such as /etc/passwd. Because the exploitation complexity is extremely low, any unauthenticated attacker with network reachability to the EBS web interface can execute this payload without user interaction.
Vulnerability Profile
Metric
Specification
CVE Identifier
CVE-2026-46817
CVSS v3.1 Score
9.8 (Critical)
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
Oracle E-Business Suite versions 12.2.3 through 12.2.15
Industry Impact and Threat Landscape
Because Oracle Payments handles critical corporate financial transactions, a compromise of this system represents a severe threat. Unauthenticated file reads can allow threat actors to extract database credentials, session tokens, configurations, and sensitive transaction logs. An attacker can pivot from this initial access to completely take over Oracle Payments, manipulate file transmissions, compromise banking connections, or establish lateral persistence within the enterprise network.
As observed in telemetry, the initial exploits originated from a single source performing early validation testing and reconnaissance rather than opportunistic scanning. However, as news of the exploit spreads, broader automated scanning and exploit campaigns are expected.
Recommendations and Mitigations
Organizations running affected versions of Oracle E-Business Suite must take immediate action to secure their environments:
1. Apply the May 2026 Critical Patch Update: Immediately install the official Oracle patch to address the vulnerability in Oracle Payments’ File Transmission component.
2. Restrict Web Interface Access: Implement firewall and network security controls to ensure that Oracle E-Business Suite web interfaces are restricted to internal trusted networks and not exposed to the public internet.
3. Log Analysis and Audit: Review web server access logs for suspicious HTTP POST or GET requests targeting the /OA_HTML/ibytransmit endpoint. Any unpatched system exposed to the public internet past May 28, 2026, should be treated as potentially compromised and subjected to a comprehensive forensic review.