Threat actors are actively exploiting CVE-2026-46817, a critical unauthenticated remote takeover vulnerability in Oracle E-Business Suite (EBS), with live attack activity captured across honeypot infrastructure over the weekend of June 27–28, 2026.
CVE-2026-46817 is a critical-severity flaw residing in the Oracle Payments product within Oracle E-Business Suite, specifically in the File Transmission component. The vulnerability carries a CVSS 3.1 base score of 9.8 and allows an unauthenticated attacker with network access via HTTP to fully compromise Oracle Payments, leading to complete takeover of confidentiality, integrity, and availability.
Affected versions span Oracle E-Business Suite 12.2.3 through 12.2.15. The CVSS vector reflects the low attack complexity and zero authentication requirement, making it trivially exploitable at scale.
Oracle E-Business Flaw Actively Exploited
Over the weekend of June 27–28, 2026, active exploitation of CVE-2026-46817 was detected on Oracle E-Business Suite honeypots, representing the first known in-the-wild exploitation of this flaw. No public proof-of-concept (PoC) code exists, indicating that the threat actor may be operating with privately developed exploit capabilities.
The attack traffic captured on the Defused honeypots revealed targeted POST requests to /OA_HTML/ibytransmit, the Oracle iPayment file transmission endpoint.
The attacker IP 45.84.137[.]125, operating through AS136787 PacketHub S.A. (France), targeted port 443 and submitted a crafted XML DeliveryRequest payload.
The payload contained a CODEX_PULL transmission scheme, with the FULL_FILE_PATH parameter set to /etc/passwd — a classic indicator of a local file read / path traversal exploitation chain designed to exfiltrate sensitive system files.
According to Shadowserver, there were a combined 456 hits on June 28 across all monitored regions, with North America (193) and Asia (181) absorbing the bulk of the attack traffic. Europe accounted for 53 hits, South America for 18, Africa for 9, and Oceania for 2.
Oracle addressed CVE-2026-46817 in its May 2026 Critical Security Patch Update (CSPU), released on May 28, 2026. The update addressed 35 unique CVEs across multiple Oracle product families, with 11 classified as critical.
Oracle strongly urged all customers to apply the patches immediately upon release. A supplementary June 2026 CSPU was subsequently released on June 16, 2026, reinforcing Oracle’s advisory posture.
Indicators of Compromise (IOCs)
| Indicator | Type | Detail |
|---|---|---|
45.84.137.125 | Attacker IP | AS136787 PacketHub S.A., France |
/OA_HTML/ibytransmit | URL Path | Oracle iPayment File Transmission endpoint |
ibytransmit-lab-poc/1.0 | User-Agent | Exploit tooling identifier |
CODEX_PULL_* | Transmission Scheme | Oracle Payments delivery scheme abuse |
/etc/passwd | File Target | FULL_FILE_PATH parameter in exploit payload |
Organizations running Oracle E-Business Suite should act immediately:
- Apply the May 2026 CSPU patch for EBS versions 12.2.3–12.2.15 without delay.
- Block or restrict public internet access to Oracle EBS interfaces, particularly the
/OA_HTML/path. - Audit web server logs for POST requests to
/OA_HTML/ibytransmitwith unusual XML payloads. - Threat hunt for the attacker IP
45.84.137.125and the User-Agent stringibytransmit-lab-poc/1.0across firewall and proxy logs. - Conduct a compromise assessment if patching was delayed beyond May 28, 2026.
Given the absence of public PoC code and the confirmed emergence of private exploit tooling, unpatched Oracle EBS deployments remain at severe risk of full system compromise.
