🚨 CRITICAL ALERT: Active Zero-Day Exploits

Active exploitation is confirmed for a critical, unauthenticated remote takeover vulnerability in Oracle Payments (CVE-2026-46817), which allows attackers to fully compromise Oracle E-Business Suite instances with a CVSS score of 9.8 [2][5]. Threat actors observed exploiting this flaw over the weekend of June 27–28, 2026, targeting the ibytransmit endpoint to read sensitive server files like /etc/passwd without authentication [2][8]. Approximately 950 exposed instances are currently considered potentially vulnerable, making immediate patching and network restriction essential [6].

Critical Vulnerabilities (CVSS >= 8.0)

  • CVE-2026-46817 (CVSS: 9.8): A critical flaw in the File Transmission component of Oracle Payments within Oracle E-Business Suite (versions 12.2.3–12.2.15) that allows unauthenticated attackers to achieve a full system takeover via HTTP requests [1][3]. The vulnerability stems from improper privilege management and missing authentication for a critical function, and it has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of July 15, 2026 [2][3]. View NVD | CISA KEV

âš¡ Immediate Actions Required

Organizations running Oracle E-Business Suite versions 12.2.3 through 12.2.15 must apply Oracle’s May 2026 Critical Security Patch Update (CSPU) immediately to mitigate this active threat [2][4]. Until patched, restrict all internet-facing EBS web interfaces to internal networks only and block public access to the /OA_HTML/ibytransmit endpoint [2]. Security teams should review logs for suspicious POST requests to this endpoint and assume any unpatched instance exposed to the internet past May 28 is potentially compromised [2]. If evidence of compromise is found, perform a full forensic review and rotate all credentials and keys stored on the affected host immediately [2].