Severity
High
Analysis Summary
Threat actors are actively exploiting CVE-2026-46817, a critical unauthenticated remote code execution and system takeover vulnerability affecting the Oracle Payments File Transmission component in Oracle E-Business Suite (EBS). The flaw carries a CVSS v3.1 score of high and impacts Oracle EBS versions 12.2.3 through 12.2.15. An attacker with network access over HTTP can exploit the vulnerability without authentication, enabling complete compromise of the application's confidentiality, integrity, and availability. The vulnerability's low attack complexity and lack of authentication requirements make it highly attractive for large-scale exploitation.
The first confirmed in-the-wild exploitation was observed during June 27–28, 2026, when security researchers detected attacks against Oracle EBS honeypots. The attacks targeted the /OA_HTML/ibytransmit Oracle iPayment File Transmission endpoint using crafted XML DeliveryRequest payloads. The observed activity originated from the attacker IP 45.84.137.125 (AS136787 PacketHub S.A., France) and leveraged the CODEX_PULL transmission scheme with the FULL_FILE_PATH parameter pointing to /etc/passwd, indicating an attempt to perform local file disclosure through a path traversal-style technique. Notably, the exploitation occurred despite the absence of any publicly available proof-of-concept (PoC), suggesting the threat actor possesses privately developed exploit capabilities.
Telemetry collected by Shadowserver revealed widespread scanning and exploitation attempts, with 456 attack events recorded on June 28, 2026. North America (193) and Asia (181) experienced the highest number of attacks, followed by Europe (53), South America (18), Africa (9), and Oceania (2), demonstrating a global targeting campaign. Key indicators of compromise (IOCs) include the attacker IP 45.84.137.125, requests to the /OA_HTML/ibytransmit endpoint, the ibytransmit-lab-poc/1.0 User-Agent string, abuse of the CODEX_PULL_* transmission scheme, and attempts to access sensitive files such as /etc/passwd.
Oracle addressed CVE-2026-46817 in its May 2026 Critical Security Patch Update (CSPU), released on May 28, 2026, and reinforced its guidance through a supplementary June 2026 CSPU issued on June 16, 2026. Organizations running vulnerable Oracle E-Business Suite deployments should immediately apply the available security updates, restrict or eliminate public internet access to Oracle EBS interfaces—particularly the /OA_HTML/ path—audit web server logs for suspicious POST requests containing crafted XML payloads, and hunt for the identified IOCs across firewall, proxy, and web server logs. Organizations that delayed patching beyond the initial May release should conduct a thorough compromise assessment, as the confirmed use of private exploit tooling significantly increases the likelihood of successful compromise against unpatched systems.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2026-46817
Remediation
- Apply Oracle's May 2026 Critical Security Patch Update (CSPU) immediately to all affected Oracle E-Business Suite 12.2.3–12.2.15 installations.
- Install the supplementary June 2026 CSPU to ensure all related security fixes and updates are applied.
- Restrict or block public Internet access to Oracle E-Business Suite, especially the /OA_HTML/ directory and the /OA_HTML/ibytransmit endpoint, unless absolutely required.
- Review web server and application logs for suspicious POST requests targeting /OA_HTML/ibytransmit, particularly those containing unusual XML DeliveryRequest payloads.
- Threat hunt for known IOCs, including the attacker IP 45.84.137.125, the ibytransmit-lab-poc/1.0 User-Agent string, and abuse of the CODEX_PULL_* transmission scheme.
- Monitor for attempts to access sensitive system files, such as /etc/passwd, which may indicate exploitation or path traversal activity.
- Restrict network access to Oracle EBS by allowing connections only from trusted IP addresses through firewalls, VPNs, or reverse proxies.
- Deploy or update Web Application Firewall (WAF) rules to detect and block malicious XML payloads and unauthorized requests to vulnerable Oracle EBS endpoints.