ZeroPath at Black Hat USA 2026

Oracle E-Business Suite CVE-2026-46817: Brief Summary of a Critical Unauthenticated Payments Takeover

A brief summary of CVE-2026-46817, a CVSS 9.8 unauthenticated vulnerability in Oracle E-Business Suite's Payments File Transmission component affecting versions 12.2.3 through 12.2.15, with context on threat actor interest and the companion vulnerability CVE-2026-46818.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Oracle E-Business Suite CVE-2026-46817: Brief Summary of a Critical Unauthenticated Payments Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated attacker can take over Oracle Payments by sending crafted HTTP requests to the File Transmission component, earning CVE-2026-46817 a CVSS 3.1 base score of 9.8 with High impacts across Confidentiality, Integrity, and Availability. This vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15, covering 13 supported releases and spanning over a decade of deployments, and it arrives less than a year after the Cl0p/FIN11 threat group mass exploited a nearly identical Oracle EBS flaw (CVE-2025-61882) to breach over 100 organizations.

Technical Information

Vulnerability Overview

CVE-2026-46817 is located in the File Transmission component of the Oracle Payments product within Oracle E-Business Suite. The vulnerability was published to the NVD on May 28, 2026, with the source identifier [email protected]. No CWE ID has been assigned as of the publication date, which limits automated vulnerability classification and may indicate a novel or compound weakness type.

The File Transmission component is responsible for transferring payment related files (payment files, bank transmission files, and payment instructions) between Oracle Payments and external systems such as banks and payment processors. This makes it an inherently sensitive interface that is often exposed to network traffic for business partner connectivity.

CVSS 3.1 Vector Breakdown

The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8. Each component carries specific tactical implications:

Vector ComponentValueImplication
Attack Vector (AV)NetworkExploitable remotely over the internet; no physical or local access needed
Attack Complexity (AC)LowMinimal technical skill required; no special conditions must exist
Privileges Required (PR)NoneNo authentication or credentials of any kind are needed
User Interaction (UI)NoneNo phishing or social engineering required
Scope (S)UnchangedImpact is confined to the Oracle Payments component
Confidentiality (C)HighComplete information disclosure; payment data fully exposed
Integrity (I)HighComplete data modification; financial records can be altered
Availability (A)HighComplete denial of access to the Oracle Payments service

The combination of AV:N, AC:L, PR:N, and UI:N places this vulnerability in the most dangerous category: exploitable by any remote, unauthenticated attacker with minimal effort and no reliance on user behavior.

Attack Vector and Exploitation Method

The vulnerability is exploitable via the HTTP protocol. An attacker with network access can send crafted HTTP requests to the Oracle Payments File Transmission component without providing any credentials. Because the attack requires no authentication, no user interaction, and only low complexity exploitation, the barrier to entry is minimal.

Once a proof of concept is developed, it could be weaponized for mass scanning and automated exploitation across exposed Oracle EBS instances. This is consistent with the pattern observed during the CVE-2025-61882 exploitation campaign, where Rapid7 characterized the flaw as an arbitrary file upload vulnerability enabling unauthenticated remote code execution via HTTP.

Companion Vulnerability: CVE-2026-46818

The same File Transmission component has a second vulnerability, CVE-2026-46818, which is exploitable over HTTPS rather than HTTP. CVE-2026-46818 has a CVSS 3.1 score of 7.4 with High Attack Complexity, meaning exploitation is more difficult but remains unauthenticated. Its impacts are High for Confidentiality and Integrity but None for Availability.

This is an important detail for defenders: an organization that blocks HTTP at the perimeter but leaves HTTPS exposed might mitigate CVE-2026-46817 while remaining vulnerable to CVE-2026-46818. Both vulnerabilities must be addressed simultaneously to fully secure the File Transmission component.

Information Gaps

Several technical details remain unavailable as of the NVD publication date. No CWE classification has been assigned, no specific vulnerability type (e.g., SQL injection, arbitrary file upload, path traversal, deserialization) has been publicly disclosed, and no proof of concept code or detailed exploit chain has been published. The absence of a CWE ID prevents automated vulnerability correlation by security tools and frameworks, meaning manual review of the Oracle advisory and patch analysis is required to understand the root cause.

Threat Context and Exploitation Precedent

While no exploitation of CVE-2026-46817 has been confirmed as of its publication date, the vulnerability's profile warrants serious concern based on historical precedent.

CVE-2025-61882, a prior Oracle EBS zero-day with an identical CVSS 9.8 score and the same unauthenticated HTTP attack profile, was actively exploited by the Cl0p/FIN11 threat group. CrowdStrike identified a mass exploitation campaign, and Cl0p listed over 100 targeted organizations on its extortion site. Notable victims included Michelin (over 315GB of data leaked), Madison Square Garden (210GB leaked), and Korean Air. Rapid7 confirmed the attack involved an arbitrary file upload vulnerability enabling unauthenticated remote code execution via HTTP.

Earlier, CVE-2022-21587 (also CVSS 9.8) was exploited in the wild for botnet enrollment. QuorumCyber documented that exploitation involved uploading a Perl script via an arbitrary file upload vulnerability, which then used tools like curl or wget to download additional malicious components. This technique aligns with MITRE ATT&CK technique T1105 (Ingress Tool Transfer) for downloading tools and T1210 (Exploitation of Remote Services) for initial access.

The FIN11/Cl0p operational pattern involves discovering or acquiring zero-day vulnerabilities in enterprise software, mass scanning for exposed unpatched instances, exploiting vulnerabilities to exfiltrate data at scale, listing victim organizations on the Cl0p extortion site, and demanding ransom payments under threat of data publication. Their willingness to invest in Oracle EBS zero-days before disclosure indicates pre-positioned capability and strategic interest in this product family.

As of May 27, 2026, CISA's most recent KEV additions addressed three Cisco vulnerabilities (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133), unrelated to Oracle EBS. Organizations should monitor the KEV Catalog for updates on CVE-2026-46817 exploitation status.

Affected Systems and Versions

The following Oracle E-Business Suite versions are affected:

  • Oracle Payments within Oracle E-Business Suite versions 12.2.3 through 12.2.15 (13 supported versions)

This spans virtually the entire supported lifecycle of the 12.2.x release train, indicating the vulnerability has been present in the File Transmission component for an extended period. Any organization running Oracle EBS 12.2.x that has not applied the May 2026 CSPU should assume it is exposed.

Oracle EBS customers range from small businesses (5.9% of the install base with 0 to 100 employees) to mid-sized firms (27.52% with 101 to 1,000 employees) and large enterprises. Many deployments are internet-facing for business partner and bank connectivity, which directly expands the attack surface for this HTTP-based vulnerability.

Vendor Security History

Oracle E-Business Suite has experienced a pattern of critical vulnerabilities with active exploitation in recent years:

CVECVSSYearExploitation StatusThreat Actor
CVE-2022-215879.82022Exploited in the wildUnattributed (botnet enrollment)
CVE-2025-618829.82025Actively exploited (zero-day)Cl0p / FIN11
CVE-2025-61884Related2025Patched alongside CVE-2025-61882Same campaign
CVE-2026-468179.82026Not yet confirmedUnder investigation

The recurrence of CVSS 9.8 unauthenticated HTTP exploitation vulnerabilities in Oracle EBS suggests systemic weaknesses in the product's externally facing components, particularly around file handling and transmission interfaces.

Oracle maintains a quarterly Critical Patch Update (CPU) cycle, supplemented by out-of-band Critical Security Patch Updates (CSPUs) for urgent vulnerabilities. The May 2026 CSPU contains 35 new security patches across multiple product families, with 12 patches targeting Oracle E-Business Suite alone. This concentration of patches in a single product family indicates significant vulnerability discovery activity.

Oracle explicitly warns in its advisory that attackers have been successful exploiting previously patched vulnerabilities when customers failed to apply available patches. The tension between Oracle's prompt patching cadence and the product's recurring vulnerability pattern means that customer patching discipline, rather than vendor response time, is the primary risk determinant.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization