Honeypot infrastructure has captured live exploit traffic targeting CVE-2026-46817, a CVSS 9.8 Critical authentication flaw in Oracle E-Business Suite’s Payments module — and attackers got there without any public proof-of-concept code to guide them.
CVE-2026-46817’s Unauthenticated Route Into Oracle Payments
CVE-2026-46817 is an improper privilege management and authentication vulnerability in the File Transmission component of Oracle Payments, a module embedded within Oracle E-Business Suite versions 12.2.3 through 12.2.15. An unauthenticated attacker with HTTP network access can send a crafted request to the /OA_HTML/ibytransmit endpoint and achieve full compromise of Oracle Payments. The flaw demands no credentials, no prior network foothold, and no existing account on the target system.
Oracle Payments processes financial transaction data for enterprise organizations across manufacturing, finance, government, and large enterprise sectors — industries that rely on Oracle EBS as their core ERP platform. The combination of zero authentication requirements, remote network reachability, and complete module-level compromise potential placed the vulnerability at CVSS 9.8 Critical.
Defused Cyber Honeypots Catch XML Payloads Reading /etc/passwd
Security firm Defused Cyber confirmed live attack traffic against the /OA_HTML/ibytransmit endpoint after its honeypot infrastructure captured exploit payloads in the wild. The observed payloads were not generic port scans or HTTP probes: attackers sent structured XML DeliveryRequest documents using CODEX_PULL transmission mode with the FULL_FILE_PATH parameter set to /etc/passwd. Requesting the system password file is a standard first step for verifying file-read capability on a newly compromised host.
Honeypot captures began over the weekend of June 27–28, and active exploitation was publicly confirmed the following day. The content of the observed payloads — targeting /etc/passwd rather than Oracle financial tables or transaction records — suggests that threat actors were in a reconnaissance and access-confirmation phase at the time of capture, probing their foothold before advancing to deeper data extraction.
Privately Developed Exploit Tooling Points to Patch Reverse-Engineering
No public proof-of-concept for CVE-2026-46817 has been released. Oracle shipped a patch in its Critical Security Patch Update last month, yet active exploitation was underway within days of patch availability and before any exploit code surfaced publicly. Security assessments of the captured attack traffic indicate that the threat actors involved either reverse-engineered Oracle’s patch to reconstruct the vulnerable code path or developed the exploit through independent vulnerability research.
The absence of a public PoC at the time attackers moved means the gap between patch release and active exploitation is narrowing for enterprise ERP software. For sufficiently motivated attackers, the patch itself serves as a technical roadmap: comparing patched and unpatched binaries narrows the search space considerably and can yield a working exploit faster than enterprise organizations complete their patch approval processes.
Manufacturing, Finance, and Government Organizations Running Affected Versions
Oracle E-Business Suite serves as the ERP backbone for manufacturing, finance, and government organizations globally. Versions 12.2.3 through 12.2.15 span a large installed base, and enterprise deployments frequently operate patch cycles that lag Oracle’s Critical Security Patch Update schedule by weeks or months due to validation requirements, change management constraints, and maintenance window scheduling.
At the time of public disclosure, CISA had not yet issued a formal Known Exploited Vulnerabilities entry for CVE-2026-46817 or announced a mandatory federal remediation deadline. However, the confirmed honeypot captures and evidence of privately developed exploit tooling place the vulnerability in the actively-exploited category regardless of any formal government action.
Oracle’s fix is available through its Critical Security Patch Update. Organizations running Oracle EBS 12.2.3 through 12.2.15 should apply the update immediately and audit network access to the Oracle Payments File Transmission endpoint. For any internet-facing Oracle EBS instance still running an affected version, the evidence of in-the-wild exploitation activity makes patching a matter of immediate operational priority rather than a scheduled maintenance item.
