Particle.news

Attackers Exploit Critical Oracle E‑Business Payments Flaw

Defused detected live exploit attempts that show unauthenticated HTTP access can let attackers read server files or seize Payments instances.

Overview

  • Security firm Defused reported over the weekend that its Oracle E‑Business honeypots recorded the first in‑the‑wild exploitation attempts against CVE‑2026‑46817, a critical flaw in the Payments File Transmission component.
  • The vulnerability, rated CVSS 9.8, affects Oracle E‑Business Suite Payments versions 12.2.3 through 12.2.15 and was fixed in Oracle’s May 2026 Critical Security Patch Update.
  • Defused observed a single‑source unauthenticated file‑read against the ibytransmit endpoint that returned /etc/passwd, demonstrating how attackers can retrieve configuration or credential files and escalate to full takeover.
  • Security groups report hundreds of EBS instances remain reachable from the public internet and advise immediate patching, restricting EBS web interfaces from public access, reviewing logs for POST requests to /OA_HTML/ibytransmit, and treating unpatched internet‑facing hosts as potentially compromised.
  • This activity continues a pattern of rapid exploitation of high‑severity Oracle enterprise flaws, including prior attacks that used EBS and PeopleSoft vulnerabilities to steal data or gain remote control, which raises a heightened risk for organizations slow to apply vendor patches.