Oracle E-Business Suite flaw was exploited before public proof-of-concept code appeared

Researchers say attackers began targeting a critical Oracle E-Business Suite vulnerability weeks after it was patched, and before any public exploit code had been released. The activity suggests the t...

Researchers say attackers began targeting a critical Oracle E-Business Suite vulnerability weeks after it was patched, and before any public exploit code had been released. The activity suggests the threat actor may have reverse-engineered Oracle’s fix or obtained a private exploit ahead of time.

Defused reported the first observed exploitation of CVE-2026-46817 on June 27. The flaw affects the Payments module, specifically the Oracle Payments File Transmission component, in E-Business Suite releases 12.2.3 through 12.2.15. Oracle addressed the issue in its May Critical Patch Update. The vulnerability has a CVSS score of 9.8 and can allow unauthenticated attackers to read arbitrary files from exposed servers.

Signs of targeted exploitation

According to the researchers, the activity did not resemble broad internet scanning often seen after disclosure of a severe bug. Their honeypots recorded only six attempts, all from a single source and all appearing to use a functioning exploit. The requests were aimed at retrieving sensitive files, which Defused said points to testing or validating a technique rather than large-scale opportunistic abuse.

The researchers noted that exploitation started before public proof-of-concept code became available, reinforcing the possibility that attackers either analyzed Oracle’s patch to uncover the flaw or acquired an exploit through other channels.

Broader exposure across Oracle customers

Shadowserver Foundation said it currently tracks about 950 Oracle E-Business Suite instances exposed to the public internet, most of them in the United States. The group cautioned, however, that exposure does not necessarily mean a system is vulnerable, since some may already be patched or protected by controls not visible from outside.

The incident adds to a run of attacks against enterprise business software. Earlier this month, researchers described exploitation of a PeopleSoft zero-day before patches were broadly deployed. Last year, Oracle E-Business Suite customers were also caught up in a longer campaign attributed to Clop, which targeted internet-facing servers before the activity was publicly disclosed.

Security researchers say these cases underline a familiar risk for enterprise software users: once vendors publish a patch, attackers may treat the update as a guide to the underlying weakness and move quickly against organizations that have not yet installed it.