• Home
  • cyber
  • Oracle: Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks
cyber Vulnerability

Oracle: Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks

Jun 27, 2026 2 min read
Oracle: Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks

Critical Oracle E-Business Suite Vulnerability Exploited in the Wild

Threat actors are actively exploiting CVE-2026-46817, a critical unauthenticated remote takeover vulnerability in Oracle E-Business Suite (EBS), with attacks detected over the weekend of June 27–28, 2026. The flaw, rated 9.8 (CVSS 3.1), resides in the Oracle Payments component, specifically the File Transmission module, and allows attackers with network access via HTTP to fully compromise affected systems impacting confidentiality, integrity, and availability.

The vulnerability affects Oracle EBS versions 12.2.3 through 12.2.15, with exploitation requiring no authentication and minimal complexity. Honeypot infrastructure captured attack traffic targeting the /OA_HTML/ibytransmit endpoint, where threat actors delivered a crafted XML DeliveryRequest payload. The attack, originating from IP 45.84.137[.]125 (AS136787, PacketHub S.A., France), used a CODEX_PULL transmission scheme with the FULL_FILE_PATH parameter set to /etc/passwd, indicating an attempt to exfiltrate sensitive system files.

Global attack activity peaked on June 28, with 456 detected hits, primarily in North America (193) and Asia (181), followed by Europe (53), South America (18), Africa (9), and Oceania (2).

Oracle addressed CVE-2026-46817 in its May 2026 Critical Patch Update (CSPU), released on May 28, 2026, which included fixes for 35 CVEs, 11 of them critical. A follow-up June 2026 CSPU was issued on June 16, 2026, reinforcing patching recommendations. Despite these updates, the absence of a public proof-of-concept (PoC) suggests attackers are using privately developed exploit tooling, heightening risks for unpatched deployments.

Key Indicators of Compromise (IOCs):

"id": "ORA1782750283",
"linkid": "oracle",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'location': 'Global (North America: 193, Asia: 181, '
                                    'Europe: 53, South America: 18, Africa: 9, '
                                    'Oceania: 2)',
                        'type': 'Enterprise'}],
 'attack_vector': 'Network (HTTP)',
 'data_breach': {'data_exfiltration': 'Yes (attempted exfiltration of '
                                      '/etc/passwd)',
                 'file_types_exposed': ['System files'],
                 'sensitivity_of_data': 'High (e.g., /etc/passwd)',
                 'type_of_data_compromised': 'System configuration files'},
 'date_detected': '2026-06-27',
 'description': 'Threat actors are actively exploiting CVE-2026-46817, a '
                'critical unauthenticated remote takeover vulnerability in '
                'Oracle E-Business Suite (EBS). The flaw allows attackers with '
                'network access via HTTP to fully compromise affected systems, '
                'impacting confidentiality, integrity, and availability. The '
                'vulnerability affects Oracle EBS versions 12.2.3 through '
                '12.2.15 and was exploited to exfiltrate sensitive system '
                'files.',
 'impact': {'data_compromised': 'Sensitive system files (e.g., /etc/passwd)',
            'operational_impact': 'Full system compromise (confidentiality, '
                                  'integrity, and availability)',
            'systems_affected': 'Oracle E-Business Suite (EBS) versions 12.2.3 '
                                'through 12.2.15'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Patch management and '
                                                  'vulnerability remediation',
                            'root_causes': 'Unpatched Oracle E-Business Suite '
                                           'vulnerability (CVE-2026-46817)'},
 'recommendations': 'Apply Oracle Critical Patch Updates (May 2026 CSPU and '
                    'June 2026 CSPU) immediately to mitigate CVE-2026-46817. '
                    'Monitor network traffic for exploitation attempts '
                    'targeting /OA_HTML/ibytransmit.',
 'references': [{'source': 'Oracle Critical Patch Update (May 2026 CSPU)'},
                {'source': 'Oracle Critical Patch Update (June 2026 CSPU)'}],
 'response': {'remediation_measures': 'Apply Oracle Critical Patch Updates '
                                      '(May 2026 CSPU and June 2026 CSPU)'},
 'title': 'Critical Oracle E-Business Suite Vulnerability Exploited in the '
          'Wild',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2026-46817'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.