Critical Vulnerability in Oracle E-Business Suite Actively Exploited in Real-World Cyberattacks!

Cybercriminals continue to target large corporate information systems. This time, the Oracle E-Business Suite (EBS) platform, used by thousands of organizations worldwide, is at the center of the threat. Experts have confirmed that a critically dangerous vulnerability, registered under identifier CVE-2026-46817, is being actively exploited in real-world cyberattacks.

This vulnerability was discovered in the File Transmission component of the Oracle Payments module and allows attackers to gain full remote control over the system without any authentication. The vulnerability’s CVSS 3.1 score of 9.8 indicates its classification at the highest — Critical — severity level.

What Is Oracle E-Business Suite?

Oracle E-Business Suite (Oracle EBS) is a corporate business management platform widely used by large enterprises, banks, government agencies, and industrial organizations worldwide. This system manages financial operations, procurement, logistics, human resources, manufacturing, customer relationship management, and electronic payment processes.

Therefore, any critical vulnerability discovered in Oracle EBS poses a threat not only to a single server but to the entire corporate infrastructure and the critical business data stored within it.

What Is the Nature of the Vulnerability?

The CVE-2026-46817 vulnerability was discovered in the File Transmission component of the Oracle Payments module, which is responsible for file transfers.

The issue is that an unauthenticated user accessing the system over the Internet via HTTP or HTTPS can send a specially crafted request and exploit the Oracle Payments service.

As a result, an attacker can:

  • read confidential data;
  • modify system configuration;
  • disrupt service operations;
  • gain full control over the server.

No username, password, or other authentication credentials are required to exploit this vulnerability. The low complexity of the attack makes automated mass exploitation possible.

Real-World Attacks Have Been Recorded

On June 27–28, 2026, cybersecurity specialists recorded real attacks exploiting this vulnerability against specialized honeypot systems designed for Oracle EBS.

This is the first confirmed case of CVE-2026-46817 being exploited in a real-world environment.

Notably, no public Proof-of-Concept (PoC) exploit code has been released for this vulnerability to date. This indicates that the group behind the attacks is using their own private exploitation tool.

How Is the Attack Carried Out?

In the attacks recorded by experts, the attackers sent specially crafted HTTP POST requests to the /OA_HTML/ibytransmit endpoint in Oracle EBS.

This endpoint handles file transfer processes in the Oracle iPayment system.

The request contained a DeliveryRequest object in XML format, in which the FULL_FILE_PATH parameter was directed to the /etc/passwd file through the CODEX_PULL transfer mechanism.

On Linux operating systems, the /etc/passwd file stores basic system information about users. Attempting to read this specific file is a classic indicator of Path Traversal or Local File Read (LFR) attacks.

If successful, an attacker can read other critical files on the server, carry out further exploitation stages, and fully compromise the system.

In Which Regions Were Attacks Observed?

According to data from the Shadowserver Foundation, which monitors Internet threats, a total of 456 exploitation attempts were recorded worldwide on June 28, 2026, alone.

The regional distribution of attacks was as follows:

  • North America — 193;
  • Asia — 181;
  • Europe — 53;
  • South America — 18;
  • Africa — 9;
  • Oceania — 2.

This indicates the global scale of active exploitation of the vulnerability.

Indicators of Compromise (IoCs)

Experts recommend paying special attention to the following indicators:

  • requests originating from IP address 45.84.137.125;
  • unusual POST requests to the /OA_HTML/ibytransmit endpoint;
  • atypical XML-formatted DeliveryRequest payloads;
  • User-Agent string ibytransmit-lab-poc/1.0;
  • use of the CODEX_PULL transfer mechanism;
  • presence of parameters such as FULL_FILE_PATH=/etc/passwd.

If these indicators are detected, there is a high probability that the system has been compromised.

What Measures Did Oracle Take?

Oracle addressed this vulnerability as part of the Critical Security Patch Update (CSPU) released on May 28, 2026.

This update addressed a total of 35 CVEs in Oracle products, 11 of which had critical severity levels.

Additionally, on June 16, 2026, the company announced further security updates and urged all customers to apply the updates as soon as possible.

Recommendations for Organizations

Organizations using Oracle E-Business Suite are strongly advised to take the following measures immediately:

  • apply the May 2026 CSPU security update for Oracle EBS versions 12.2.3–12.2.15;
  • do not leave Oracle EBS management interfaces exposed directly to the Internet;
  • restrict external access to the /OA_HTML/ directory, especially by using VPN protection;
  • analyze web server logs for XML requests sent to the /OA_HTML/ibytransmit endpoint;
  • check network, proxy, and firewall logs for IP address 45.84.137.125 and the ibytransmit-lab-poc/1.0 User-Agent string;
  • if the security update was not installed in a timely manner, conduct a full compromise assessment of the system;
  • establish continuous monitoring of Oracle EBS servers using EDR, WAF, and SIEM systems.

Conclusion

The CVE-2026-46817 vulnerability has once again demonstrated how dangerous modern cyberattacks targeting corporate business systems have become. The most concerning aspect is that this vulnerability is already being exploited in real-world attacks, yet no public exploit code has been released. This indicates that attackers are using specially developed private tools.

Because Oracle E-Business Suite is one of the systems at the core of financial and business processes, its compromise can lead to confidential data leakage, financial losses, service disruptions, and destabilization of the entire corporate infrastructure.

Therefore, for all organizations using Oracle EBS, installing security updates without delay, restricting Internet-facing interfaces, and continuously monitoring the system are currently among the most critical security measures.