Overview
- Security firm Defused reported over the weekend that its Oracle E‑Business honeypots recorded the first in‑the‑wild exploitation attempts against CVE‑2026‑46817, a critical flaw in the Payments File Transmission component.
- The vulnerability, rated CVSS 9.8, affects Oracle E‑Business Suite Payments versions 12.2.3 through 12.2.15 and was fixed in Oracle’s May 2026 Critical Security Patch Update.
- Defused observed a single‑source unauthenticated file‑read against the ibytransmit endpoint that returned /etc/passwd, demonstrating how attackers can retrieve configuration or credential files and escalate to full takeover.
- Security groups report hundreds of EBS instances remain reachable from the public internet and advise immediate patching, restricting EBS web interfaces from public access, reviewing logs for POST requests to /OA_HTML/ibytransmit, and treating unpatched internet‑facing hosts as potentially compromised.
- This activity continues a pattern of rapid exploitation of high‑severity Oracle enterprise flaws, including prior attacks that used EBS and PeopleSoft vulnerabilities to steal data or gain remote control, which raises a heightened risk for organizations slow to apply vendor patches.