Full Report
Attackers appear to have reverse-engineered Big Red's patch
Analysis Summary
# Vulnerability: Oracle E-Business Suite Payments File Transmission Arbitrary File Read
## CVE Details
- **CVE ID:** CVE-2026-46817
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Not specifically listed (Effectively an Arbitrary File Read / Path Traversal)
## Affected Systems
- **Products:** Oracle E-Business Suite (EBS), specifically the Oracle Payments File Transmission component.
- **Versions:** 12.2.3 through 12.2.15.
- **Configurations:** Systems exposed to the public internet (estimated ~950 instances globally, primarily in the US).
## Vulnerability Description
CVE-2026-46817 is a critical vulnerability within the Oracle Payments module of the E-Business Suite. The flaw resides in the File Transmission component and allows an unauthenticated attacker to bypass security controls to read arbitrary files from the host server. Technical analysis suggests attackers may have reverse-engineered the patch from Oracle’s May 2026 Critical Patch Update (CPU) to develop a working exploit.
## Exploitation
- **Status:** Exploited in the wild. Attacks were first observed on June 27, 2026, prior to the release of public PoC code.
- **Complexity:** Low (exploitable by unauthenticated users).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Unauthenticated access to sensitive system and application files).
- **Integrity:** None (Based on CVSS 9.8 definition for this specific flaw, though file data can lead to further compromise).
- **Availability:** None.
## Remediation
### Patches
- **Oracle May 2026 Critical Patch Update (CPU):** Users should upgrade to the latest patched versions provided in the May cycle or any subsequent cumulative updates.
- **Affected Version Path:** Ensure EBS is updated beyond version 12.2.15 or apply the specific security patches designated for the 12.2 release branch.
### Workarounds
- **Network Segmentation:** Remove Oracle E-Business Suite instances from the public-facing internet where possible.
- **Access Control:** Restrict access to the Oracle Payments File Transmission component to trusted internal IP ranges only.
## Detection
- **Indicators of Compromise:** Observe for unusual HTTP requests targeting the Oracle Payments File Transmission URIs, specifically requests originating from unexpected sources attempting to access sensitive system files (e.g., `/etc/passwd` or configuration files).
- **Detection Methods:** Monitor web server logs for a low volume of highly targeted requests (honeypot data suggests attackers may use "low and slow" tactics rather than mass scanning).
## References
- **Oracle Security Advisory:** hxxps[://]www[.]oracle[.]com/security-alerts/cspumay2026[.]html
- **Defused Research:** hxxps[://]defusedcyber[.]com/exploited/cve-2026-46817-oracle-e-business-suite
- **Shadowserver Monitoring:** hxxps[://]x[.]com/Shadowserver/status/2072267510439686276