Oracle E-Business Suite Payments flaw under attack (CVE-2026-46817)

Exploitation attempts targeting a critical vulnerability (CVE-2026-46817) in Oracle Payments, the payment-processing module within Oracle’s E-Business Suite (EBS), have been spotted over the weekend, threat intelligence company Defused warned on Monday.

The detected exploitation attempts (Source: Defused)

“On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle’s May 2026 patch and before any public proof-of-concept existed,” the company said.

“The activity was a single source running an unauthenticated file-read against the Payments component: a targeted proof-of-concept, not broad scanning.”

The exploit targets the ibytransmit endpoint in Oracle Payments’ File Transmission component, and calls an internal Oracle Java function directly, redirecting it to read a file (/etc/passwd) from the server.

But the same technique could be used to reach more sensitive files, such as configuration files containing database credentials, encryption keys, or payment processor API keys.

Advice for organizations

Oracle Payments is the payment-processing engine built into Oracle’s E-Business Suite, centralizing how the company’s finance applications send and receive payments through banks and card networks.

CVE-2026-46817 affects the File Transmission component of Oracle Payments, and is caused by improper privilege management, improper authentication, and missing authentication for a critical function.

Oracle considers it to be an easily exploitable vulnerability. It can be exploited remotely, by unauthenticated attackers with network access via HTTP, to compromise and take over Oracle Payments.

The vulnerability was patched by Oracle in late May 2026.

Administrators running Oracle E-Business Suite versions 12.2.3 to 12.2.15 should apply Oracle’s May 2026 Critical Security Patch Update immediately. Until patched, EBS web interfaces should be restricted to internal networks and not exposed to the public internet.

Security teams should treat any internet-facing EBS instance left unpatched past May 28 as potentially compromised, and should review logs for suspicious POST requests to /OA_HTML/ibytransmit. If evidennce of compromise is discovered, they should perform a full forensic review and rotate all credentials and keys stored on that host.

Also, given the pattern of repeated critical EBS vulnerabilities exploited by attackers in the last year, security teams should review whether their EBS installation’s needs any internet-facing components at all.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!