Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks

HomeCyber Security Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks By Guru Baran June 29, 2026 Threat actors are actively exploiting CVE-2026-46817, a critical unauthenticated remote takeover vulnerability in Oracle E-Business Suite (EBS), with live attack activity captured across honeypot infrastructure over the weekend of June 27–28, 2026. CVE-2026-46817 is a critical-severity flaw residing in the Oracle Payments product within Oracle E-Business Suite, specifically in the File Transmission component. The vulnerability carries a CVSS 3.1 base score of 9.8 and allows an unauthenticated attacker with network access via HTTP to fully compromise Oracle Payments, leading to complete takeover of confidentiality, integrity, and availability. Affected versions span Oracle E-Business Suite 12.2.3 through 12.2.15. The CVSS vector reflects the low attack complexity and zero authentication requirement, making it trivially exploitable at scale. Oracle E-Business Flaw Actively Exploited Over the weekend of June 27–28, 2026, active exploitation of CVE-2026-46817 was detected on Oracle E-Business Suite honeypots, representing the first known in-the-wild exploitation of this flaw. No public proof-of-concept (PoC) code exists, indicating that the threat actor may be operating with privately developed exploit capabilities. The attack traffic captured on the Defused honeypots revealed targeted POST requests to /OA_HTML/ibytransmit, the Oracle iPayment file transmission endpoint. The attacker IP 45.84.137[.]125, operating through AS136787 PacketHub S.A. (France), targeted port 443 and submitted a crafted XML DeliveryRequest payload. Oracle Flaw Exploited (Source: Defused) The payload contained a CODEX_PULL transmission scheme, with the FULL_FILE_PATH parameter set to /etc/passwd — a classic indicator of a local file read / path traversal exploitation chain designed to exfiltrate sensitive system files. According to Shadowserver, there were a combined 456 hits on June 28 across all monitored regions, with North America (193) and Asia (181) absorbing the bulk of the attack traffic. Europe accounted for 53 hits, South America for 18, Africa for 9, and Oceania for 2. Vulnerable Devices (Source: SHadowserver) Oracle addressed CVE-2026-46817 in its May 2026 Critical Security Patch Update (CSPU), released on May 28, 2026. The update addressed 35 unique CVEs across multiple Oracle product families, with 11 classified as critical. Oracle strongly urged all customers to apply the patches immediately upon release. A supplementary June 2026 CSPU was subsequently released on June 16, 2026, reinforcing Oracle’s advisory posture. Indicators of Compromise (IOCs) Indicator Type Detail 45.84.137.125 Attacker IP AS136787 PacketHub S.A., France /OA_HTML/ibytransmit URL Path Oracle iPayment File Transmission endpoint ibytransmit-lab-poc/1.0 User-Agent Exploit tooling identifier CODEX_PULL_* Transmission Scheme Oracle Payments delivery scheme abuse /etc/passwd File Target FULL_FILE_PATH parameter in exploit payload Organizations running Oracle E-Business Suite should act immediately: Apply the May 2026 CSPU patch for EBS versions 12.2.3–12.2.15 without delay. Block or restrict public internet access to Oracle EBS interfaces, particularly the /OA_HTML/ path. Audit web server logs for POST requests to /OA_HTML/ibytransmit with unusual XML payloads. Threat hunt for the attacker IP 45.84.137.125 and the User-Agent string ibytransmit-lab-poc/1.0 across firewall and proxy logs. Conduct a compromise assessment if patching was delayed beyond May 28, 2026. Given the absence of public PoC code and the confirmed emergence of private exploit tooling, unpatched Oracle EBS deployments remain at severe risk of full system compromise.  Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical Cisco Unified CM and SME Flaw Enables Remote Attacker to Launch SSRF Attacks AI-Powered iOS Apps Leaking LLM API Credentials Through Network Traffic OpenAI Released GPT-5.6 Sol With Limited Access and Strong Cyberattack Protections CISA Warns of Cisco Unified CM Vulnerability Exploited in Attacks Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Latest News Cyber Security News Microsoft 365 Apps RCE Vulnerability Exploited Using a Malicious Excel File Cyber Security News Critical Gemini CLI Vulnerability Lets Attackers Execute Arbitrary Code Cyber Security News Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations Cyber Security News ClawHub Skills Expose AI Agents to Remote Control Backdoors and Data Theft Attacks Cyber Security News Hackers Could Abuse WM_COPYDATA Callback Path to Execute Code Through Win32k Dispatch