Threat intel company Defused has reported that attackers are exploiting a critical vulnerability which is named CVE-2026-46817 in the Oracle E-Business Suite (EBS) financial application.
The vulnerability in the File Transmission component of EBS’s Oracle Payments product lets unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.
Oracle released security updates to address the vulnerability in the May 2026 Critical Security Patch Update and urged that customers patch immediately. The vulnerability has no known previous exploitation or POC, according to Defused.
🚨 CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited
Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots
This vulnerability has no known previous exploitation and no public POC code… pic.twitter.com/qL4dgPvoMP
Sunil Gottumukkala, CEO of Averlon had this comment:
“This is an unauthenticated, low-complexity takeover of Oracle E-Business Suite, which runs many companies’ financials and payments, so the value to an attacker is obvious. EBS is already a known extortion target.
“Oracle shipped the patch in May, there is still no public proof-of-concept, yet attackers are already exploiting it, most likely by reverse-engineering the patch itself. A released fix can become the attacker’s roadmap, which is why the exposure window, the gap between when a patch ships and when it’s actually deployed, is where the real risk lives. Every day a critical vulnerability sits unpatched is another day inside that window.
“Organizations running EBS Payments on affected versions have no time to spare. Patch now, take the File Transmission component off the open internet, and hunt for compromise.”
“The Cl0p campaign that exploited CVE-2025-61882 across more than a hundred Oracle EBS environments proved two things. First, that Oracle EBS is a target-rich environment full of financial, HR, and procurement data worth serious extortion money. And second, that a lot of organizations are running internet-exposed EBS instances and not patching fast enough. CVE-2026-46817 looks like what follows when that kind of spotlight gets put on a platform. Different actors, different component, but the same exposed attack surface. And this time, the target is Oracle Payments’ File Transmission module, the component that formats and transmits payment instructions, ACH batches, wire transfers, and EFT files directly to financial institutions.
“Some months back we all witnessed Cl0p’s Oracle EBS campaign hit over a hundred organizations using a sophisticated five-step exploit chain through BI Publisher that required SSRF, CRLF injection, path traversal, and malicious XSLT template processing just to get to code execution. That was a fairly sophisticated chained attack. CVE-2026-46817 looks far less complex, more like the front door was just left wide open. There is no authentication on the HTTP endpoint, and no complex exploit chain required. A crafted HTTP request gets you from zero access to full control of the system that formats and transmits ACH batches, wire transfers, and EFT files to financial institutions. Oracle EBS has a definite spotlight on its back. Now we have different actors picking different components, and we’d argue this is potentially much worse.
“The way the File Transmission component handles file operations can be exploited to execute arbitrary code on the server, and the attacker lands with enough privilege to take over Oracle Payments entirely. Oracle scored it a 9.8. File Transmission is the component that opens connections with banks and payment systems to send formatted payment instruction files. Full takeover of that system means potential access to read, modify, or redirect financial transactions.
“What’s got our attention is the exploitation timeline. There is no public proof-of-concept code for this vulnerability. Defused observed active exploitation on their Oracle EBS honeypots over the weekend. This probably means that someone reverse-engineered Oracle’s May patch, built a working exploit, and deployed it operationally in under six weeks. That tells you something about the caliber of actor going after this and how much value they see in owning a payment processing system.
“Oracle EBS is self-hosted, so the attack surface is entirely in your hands. If your Oracle Payments File Transmission endpoints are reachable over HTTP from untrusted network segments, restrict that access immediately to trusted internal sources only. Apply the May 2026 Critical Patch Update. The affected version range is 12.2.3 through 12.2.15, nearly identical to the Cl0p campaign’s target set. And given the six-week window between patch availability and confirmed exploitation, assume compromise and hunt for indicators of unauthorized access to your payment processing infrastructure going back to late May. If you’re running these versions, treat this as an emergency, not a quarterly maintenance item.”
Since organizations are in control, it is up to organizations to patch all the things. And I recommend that organizations do so before there is an attack that comes of this.
This entry was posted on June 29, 2026 at 4:25 pm and is filed under Commentary with tags Oracle. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Attackers exploit critical Oracle E-Business vulnerabilitie
Threat intel company Defused has reported that attackers are exploiting a critical vulnerability which is named CVE-2026-46817 in the Oracle E-Business Suite (EBS) financial application.
The vulnerability in the File Transmission component of EBS’s Oracle Payments product lets unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.
Oracle released security updates to address the vulnerability in the May 2026 Critical Security Patch Update and urged that customers patch immediately. The vulnerability has no known previous exploitation or POC, according to Defused.
Sunil Gottumukkala, CEO of Averlon had this comment:
“This is an unauthenticated, low-complexity takeover of Oracle E-Business Suite, which runs many companies’ financials and payments, so the value to an attacker is obvious. EBS is already a known extortion target.
“Oracle shipped the patch in May, there is still no public proof-of-concept, yet attackers are already exploiting it, most likely by reverse-engineering the patch itself. A released fix can become the attacker’s roadmap, which is why the exposure window, the gap between when a patch ships and when it’s actually deployed, is where the real risk lives. Every day a critical vulnerability sits unpatched is another day inside that window.
“Organizations running EBS Payments on affected versions have no time to spare. Patch now, take the File Transmission component off the open internet, and hunt for compromise.”
Denis Calderone, CTO, Suzu Labs had this to say:
“The Cl0p campaign that exploited CVE-2025-61882 across more than a hundred Oracle EBS environments proved two things. First, that Oracle EBS is a target-rich environment full of financial, HR, and procurement data worth serious extortion money. And second, that a lot of organizations are running internet-exposed EBS instances and not patching fast enough. CVE-2026-46817 looks like what follows when that kind of spotlight gets put on a platform. Different actors, different component, but the same exposed attack surface. And this time, the target is Oracle Payments’ File Transmission module, the component that formats and transmits payment instructions, ACH batches, wire transfers, and EFT files directly to financial institutions.
“Some months back we all witnessed Cl0p’s Oracle EBS campaign hit over a hundred organizations using a sophisticated five-step exploit chain through BI Publisher that required SSRF, CRLF injection, path traversal, and malicious XSLT template processing just to get to code execution. That was a fairly sophisticated chained attack. CVE-2026-46817 looks far less complex, more like the front door was just left wide open. There is no authentication on the HTTP endpoint, and no complex exploit chain required. A crafted HTTP request gets you from zero access to full control of the system that formats and transmits ACH batches, wire transfers, and EFT files to financial institutions. Oracle EBS has a definite spotlight on its back. Now we have different actors picking different components, and we’d argue this is potentially much worse.
“The way the File Transmission component handles file operations can be exploited to execute arbitrary code on the server, and the attacker lands with enough privilege to take over Oracle Payments entirely. Oracle scored it a 9.8. File Transmission is the component that opens connections with banks and payment systems to send formatted payment instruction files. Full takeover of that system means potential access to read, modify, or redirect financial transactions.
“What’s got our attention is the exploitation timeline. There is no public proof-of-concept code for this vulnerability. Defused observed active exploitation on their Oracle EBS honeypots over the weekend. This probably means that someone reverse-engineered Oracle’s May patch, built a working exploit, and deployed it operationally in under six weeks. That tells you something about the caliber of actor going after this and how much value they see in owning a payment processing system.
“Oracle EBS is self-hosted, so the attack surface is entirely in your hands. If your Oracle Payments File Transmission endpoints are reachable over HTTP from untrusted network segments, restrict that access immediately to trusted internal sources only. Apply the May 2026 Critical Patch Update. The affected version range is 12.2.3 through 12.2.15, nearly identical to the Cl0p campaign’s target set. And given the six-week window between patch availability and confirmed exploitation, assume compromise and hunt for indicators of unauthorized access to your payment processing infrastructure going back to late May. If you’re running these versions, treat this as an emergency, not a quarterly maintenance item.”
Since organizations are in control, it is up to organizations to patch all the things. And I recommend that organizations do so before there is an attack that comes of this.
Share this:
Like this:
Related
This entry was posted on June 29, 2026 at 4:25 pm and is filed under Commentary with tags Oracle. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.