Oracle E-Business Suite Under Active Attack: Breaking Down CVE-2026-46817

Attackers are actively exploiting CVE-2026-46817, a critical Oracle E-Business Suite flaw. Learn how the attack works and why enterprises must act fast.

Find Oracle EBS Exposure Before Attackers Do
  • June 30, 2026

A Critical Flaw Now Draws Real-World Attacks

Oracle E-Business Suite is back in the headlines, and not for good reasons. Attackers are actively exploiting a critical vulnerability tracked as CVE-2026-46817. The flaw carries a CVSS score of 9.8, placing it near the top of the severity scale.

What makes it so dangerous? An unauthenticated attacker can reach the system over plain HTTP and seize control of Oracle Payments. No login, no user interaction, and no special privileges are required.

Oracle actually patched this bug back in May 2026. Yet exploitation began over the weekend of June 27, roughly a month later. As so often happens, unpatched systems became the easy way in.

Why Oracle Payments Sits in the Crosshairs

To understand the risk, consider what Oracle E-Business Suite actually does. First released in 2001, it remains one of the world’s most widely used enterprise resource planning platforms.

The suite bundles core business functions into a single system, including:

  • Financials and accounting
  • Procurement and supply chain
  • Human capital management
  • Customer relationship management
  • Payments processing

Because it runs the financial backbone of large organizations, the stakes climb quickly. Moreover, most deployments sit on-premises, so patching falls squarely on the customer. An exposed, outdated instance therefore becomes a tempting prize.

The affected versions span Oracle E-Business Suite 12.2.3 through 12.2.15.

CVE-2026-46817 – Oracle E-Business Suite RCE in Oracle Payments
CVE-2026-46817 · ORACLE E-BUSINESS SUITE
Oracle E-Business Suite
RCE in Oracle Payments
A critical remote code execution vulnerability in Oracle E-Business Suite. By exploiting the File Transmission feature of Oracle Payments without authentication, attackers can perform a path traversal attack to access sensitive files and seize control of the payment system.
9.8
CRITICAL
CVSS 3.0 BASE SCORE
CRITICAL IMPACT
Inside the Exploit
The vulnerability is located in the File Transmission feature of Oracle Payments (historically known as iPayment). This component delivers payment files to external systems using HTTP POST requests and XML message headers. An unauthenticated attacker can reach the system over HTTP and execute a path-traversal attack to expose system details or gain unauthorized access.
Attack Mechanics
Endpoint Targeted: POST requests sent to /OA_HTML/ibytransmit over port 443
Crafted Payload: An XML DeliveryRequest utilizing a CODEX_PULL transmission scheme
Path Traversal: Setting the FULL_FILE_PATH parameter to /etc/passwd to read critical system files and escalate compromise
Why Oracle Payments Matters
Financial Backbone: Oracle E-Business Suite bundles core functions like Financials, Procurement, Supply Chain, and HR
On-Premises Risk: Most deployments sit on-premises, leaving patch management entirely to customer IT teams
Target Profile: Unpatched, internet-exposed ERP systems represent a high-value target with severe business impact
Digital Footprints
Source IP & AS: Malicious traffic originated from 45.84.137.125 (routed through AS136787)
User-Agent: Identified as ibytransmit-lab-poc/1.0, suggesting custom PoC tools
Skill Level: No public PoC exists; attacks suggest a highly skilled actor weaponizing the exploit privately
ACTIVE EXPLOITATION: Oracle patched this bug in May 2026. However, active exploitation began over the weekend of June 27, 2026. Affected versions span Oracle E-Business Suite 12.2.3 through 12.2.15. Because the flaw is unauthenticated, network-reachable, and requires zero user interaction, patching all exposed systems immediately is an urgent priority.
© 2026 XCITIUM INC. ALL RIGHTS RESERVED.

Inside the Attack: How the Exploit Works

The vulnerability lives in the File Transmission feature of Oracle Payments, historically known as iPayment. This component delivers payment files to external systems using HTTP POST requests and XML message headers.

Captured attack traffic reveals a clear pattern. The attacker sent POST requests to the /OA_HTML/ibytransmit endpoint over port 443.

Inside those requests sat a crafted XML DeliveryRequest payload. It used a CODEX_PULL transmission scheme and set the FULL_FILE_PATH parameter to /etc/passwd.

This is a textbook path-traversal probe. By pointing the file path at a sensitive system file, attackers try to read data they should never touch. Success would expose account details and open the door to deeper compromise.

Following the Digital Footprints

Defenders rarely get such a clean trail. This campaign, however, left several markers behind.

The malicious traffic originated from a single IP address, 45.84.137.125, routed through the autonomous system AS136787. Notably, the exploit tool announced itself through its User-Agent string, ibytransmit-lab-poc/1.0. That label hints at custom, privately built tooling rather than a public exploit.

The captured footprint included:

  • Endpoint: /OA_HTML/ibytransmit
  • Source IP: 45.84.137.125
  • User-Agent: ibytransmit-lab-poc/1.0
  • Scheme: CODEX_PULL
  • File target: /etc/passwd

No public proof-of-concept code exists for this flaw. As a result, the activity points toward an actor skilled enough to weaponize it alone.

Thousands of Exposed Systems Tell the Bigger Story

Scale turns a single bug into a global problem. Internet-scanning data tracks more than 450 exposed Oracle E-Business Suite instances worldwide, with nearly 200 across the United States and Europe.

Sensor networks recorded 456 exploitation-related hits in a single day. Those attempts spread across continents, with North America (193) and Asia (181) absorbing the heaviest share. Europe, South America, Africa, and Oceania followed in smaller numbers.

Clearly, this is not a localized threat. Instead, it touches organizations on nearly every continent.

Echoes of the Extortion Wave

This is not Oracle’s first storm. Late in 2025, a different flaw in the same product fueled a sweeping extortion campaign.

That earlier bug, CVE-2025-61882, also scored 9.8 and was exploited as a zero-day. The Cl0p extortion group weaponized it weeks before Oracle’s emergency patch arrived.

The fallout proved severe. Named victims included Harvard University, the University of Pennsylvania, the Washington Post, Logitech, and Cox Enterprises. The University of Phoenix alone notified nearly 3.5 million individuals after attackers stole sensitive data.

Ransom demands reportedly climbed as high as $50 million. While CVE-2026-46817 is a separate flaw, the parallel is hard to miss. Once again, Oracle E-Business Suite has become a favorite hunting ground for financially motivated attackers.

Conclusion: When ERP Becomes the Attack Surface

CVE-2026-46817 shows why enterprise application security cannot be treated as routine patch management. Oracle E-Business Suite sits close to payments, procurement, finance, supply chain, HR, and core business workflows. When attackers can reach Oracle Payments without authentication and attempt takeover through a network-accessible flaw, the risk moves directly into the financial backbone of the enterprise.

This is not a low-level application bug. It is a business control-plane risk.

Why This Threat Matters

Oracle patched this vulnerability in May 2026, yet exploitation began weeks later against systems that remained exposed. That timing is the real warning. Attackers do not need every organization to miss the patch. They only need the exposed ones.

  • Unauthenticated HTTP access lowers the barrier to exploitation
  • Oracle Payments handles high-value financial workflows
  • On-premises EBS deployments depend heavily on customer patch discipline
  • Exposed ERP systems create direct business impact
  • Path traversal attempts can expose sensitive system details
  • Private exploit tooling suggests skilled actors are already moving

Once attackers reach Oracle Payments, the compromise is no longer only technical. It becomes financial, operational, and executive risk.

Where Xcitium Changes the Outcome

This attack must be stopped before exposed Oracle EBS systems become reachable targets, and before post-exploit activity turns access into impact.

Xcitium Vulnerability Assessment is the primary control for this scenario. It helps organizations identify vulnerable Oracle EBS versions, exposed services, risky configurations, and patch gaps before attackers turn a known flaw into payment-system compromise.

If attackers use that access to run tools, scripts, payloads, commands, or lateral movement activity on managed systems, Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime behavior is governed before trust exists.
Security teams gain proof of what unknown execution could not do.

This is the correct sequence of control.
Expose the risk.
Close the vulnerable path.
Govern execution before access becomes damage.

Patch the ERP Before It Becomes the Breach

CVE-2026-46817 proves that attackers are actively watching enterprise patch windows. A critical ERP flaw left exposed for weeks can become the opening move in financial system takeover, data theft, extortion, or broader compromise.

Patch Oracle E-Business Suite immediately.
Restrict exposed EBS endpoints.
Review suspicious /OA_HTML/ibytransmit activity.
Govern unknown execution before ERP compromise spreads.

Like what you see? Share with a friend.

Move Away From Detection With Patented Threat Prevention Built For Today's Challenges.

No one can stop zero-day malware from entering your network, but Xcitium can prevent if from causing any damage. Zero infection. Zero damage.

Book a Demo