Critical Vulnerability in Oracle Payments Product Under Active Exploitation (CVE-2026-46817)

Executive Summary

On July 15th, 2026, CISA added a critical flaw in Oracle E-Business Suite's Payments module to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the vulnerability in the wild. Tracked as CVE-2026-46817, the flaw requires no authentication, no user interaction, and can be exploited remotely over HTTP enabling a complete takeover of the Oracle Payments module.

Oracle E-Business Suite (EBS) has become aggressively targeted for extortion-motivated threat actors. The Cl0p ransomware group's exploitation of a separate EBS vulnerability disclosed in 2025 led to mass data theft and extortion against more than 100 organizations, and the ShinyHunters group claimed a similar campaign against Oracle PeopleSoft customers earlier in 2026.

Given the vulnerability's unauthenticated, remote nature and Oracle E-Business Suite's recent history of targeting by extortion groups, Beazley Security recommends affected organizations apply available fixes immediately.

Affected Systems and Products

 Product  Affected Versions  Fixed Versions

 Oracle Payments (Oracle E-Business Suite)

 12.2.3 through 12.2.15

 Patched via May 2026 CSPU

*Oracle states that the vulnerability specifically affects the File Transmission component of Oracle Payments.

Mitigations and Workarounds

Beazley Security strongly recommends affected organizations apply updates immediately due to active exploitation in the wild. Oracle has released patches to remediate this vulnerability, please see the “patches” section below for more information.

If patching cannot be immediately applied, the below mitigations may help to temporarily reduce risk:

  • Remove or restrict public internet exposure of the Oracle E-Business Suite web interface where Oracle Payments are used, particularly the `/OA_HTML/` path, limiting access to trusted internal and administrative networks only.
  • Deploy Web Application Firewalls (WAF) with signatures that detect exploitation attempts of this vulnerability
  • Treat any internet-facing instance left unpatched since May, 2026 as potentially compromised and review it before reconnecting it to the internet.

Patches

Oracle addressed CVE-2026-46817 in its May 2026 Critical Patch Update, released May 28, 2026, and reinforced the fixes in a supplementary Critical Patch Update issued June 16, 2026. Patches are available through Oracle’s Patch Update and Security Alert program. Additional information can be found here.

Indicators of Compromise (IOCs)

Security researchers have reportedly observed isolated exploitation attempts against Oracle EBS honeypots in the wild since as early as late June, 2026.

Captured traffic from observed exploitation consisted of POST requests to /OA_HTML/ibytransmit carrying a crafted XML DeliveryRequest payload using the CODEX_PULL transmission scheme, with the FULL_FILE_PATH parameter set to /etc/passwd demonstrating attempts to exfiltrate sensitive server files:

 Indicator  Type  Detail

 45.84.137.125

 Attacker IP

 AS136787 PacketHub S.A., France

 /OA_HTML/ibytransmit

 URL Path

 Oracle iPayment File Transmission endpoint

 ibytransmit-lab-poc/1.0

 User-Agent

 Exploit tooling identifier

Technical Details

CVE-2026-46817 is a critical, remotely exploitable vulnerability in the File Transmission component of Oracle Payments within Oracle E-Business Suite, affecting versions 12.2.3 through 12.2.15. Oracle classifies the flaw as resulting from improper privilege management, improper authentication, and missing authentication for a critical function.

The vulnerable code path is the /OA_HTML/ibytransmit endpoint, which accepts unauthenticated HTTP POST requests carrying XML payloads. By crafting a malicious POST request to this endpoint, an attacker can redirect an internal Oracle Java function to read arbitrary files from the underlying server filesystem without any credentials, session token, or user interaction. Demonstrated exploitation attempts targeted files such as /etc/passwd, with the broader risk extending to EBS configuration files that may contain database credentials, encryption keys, and payment-processor API keys.

Because the File Transmission component operates within Oracle Payments, successful exploitation could expose financial transaction and other sensitive ERP data. Exploitation observed to date has been limited to file disclosure, but the same unauthenticated access path could enable further escalation. As recent history would indicate, released proof of concept code and a lower barrier to exploitation may attract additional campaigns from threat actors.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Vous êtes au courant d'un incident qui a un impact sur votre secteur d'activité ? Faites-nous savoir :

Report an incident