Exploitation attempts targeting CVE-2026-46817 in Oracle Payments, the payment-processing module in Oracle E-Business Suite, were spotted over the weekend, according to a technical analysis from Defused. The company said its Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of the flaw on 27 June, about six weeks after Oracle’s patch.
KEY FACTS
- Target Oracle Payments, part of Oracle E-Business Suite.
- Flaw CVE-2026-46817 is tied to improper privilege management, improper authentication and missing authentication for a critical function.
- Observed activity A single source ran an unauthenticated file-read attempt against the Payments component.
- Patch status Oracle fixed the issue in late May 2026.
- Recommended action Unpatched EBS instances should be restricted to internal networks and reviewed for signs of compromise.
The reported exploit targeted the ibytransmit endpoint in the File Transmission component and called an internal Oracle Java function to read a server file, such as /etc/passwd. The same technique could expose configuration files, database credentials, encryption keys or payment processor API keys.
Oracle considers the vulnerability easily exploitable and says remote attackers with network access via HTTP could use it to compromise Oracle Payments. Administrators running Oracle E-Business Suite versions 12.2.3 to 12.2.15 are advised to apply the May 2026 Critical Security Patch Update.
Security teams are also advised to review logs for suspicious POST requests to /OA_HTML/ibytransmit and to perform a full forensic review if they find signs of compromise. The disclosure said internet-facing EBS instances left unpatched after May 28 should be treated as potentially compromised.
The pattern adds to a series of recent Oracle EBS vulnerabilities that have been exploited by attackers. Organizations that still expose EBS to the internet may want to reassess whether those components need public access at all.
WHY IT MATTERS
The flaw affects a core payments module and can expose sensitive files on affected servers. For organizations that have not patched, the issue raises the risk of credential theft, data exposure and broader compromise.