Skip to content
Security Article

Inside the Active Exploitation of Oracle EBS Payment Gateways

Attackers are using private exploits against a critical Oracle Payments vulnerability to hijack exposed enterprise systems.

Emeka Okafor
Emeka Okafor
Security Editor · Jul 1, 2026 · 4 min read
Inside the Active Exploitation of Oracle EBS Payment Gateways

If your organization runs Oracle E-Business Suite (EBS) and exposes it to the public internet, you are currently playing a high-stakes game of security roulette. A critical, unauthenticated vulnerability in the Oracle Payments module is undergoing active exploitation in the wild.

Tracked as CVE-2026-46817, the flaw carries a CVSS score of 9.8. It allows remote, unauthenticated attackers to fully compromise vulnerable systems via low-complexity HTTP requests. While Oracle patched the vulnerability in its May 2026 Critical Security Patch Update (CSPU), threat intelligence data reveals that attackers have successfully weaponized the flaw using private exploit tooling.

With nearly 950 Oracle EBS instances currently visible to internet scanners, the window for patching is rapidly closing.

Anatomy of the Exploit

The vulnerability lies within the File Transmission component of Oracle Payments, a core module of the EBS ecosystem. Specifically, the flaw resides in the handling of incoming transmission requests.

According to telemetry from security firm Defused and the Shadowserver Foundation, threat actors began targeting honeypots over the weekend of June 27, 2026. The attacks consist of crafted HTTP POST requests directed at the /OA_HTML/ibytransmit endpoint, typically over port 443.

The exploit payload utilizes Oracle's proprietary iPayment transmission protocol. Attackers send structured XML payloads wrapped in a <DeliveryRequest> body, specifically abusing the CODEX_PULL transmission scheme. The observed payloads attempt a local file read (LFR) or path traversal attack, targeting sensitive system files such as /etc/passwd to verify access.

<!-- Example of the targeted endpoint structure -->
POST /OA_HTML/ibytransmit HTTP/1.1
Host: target-ebs-instance.com
User-Agent: ibytransmit-lab-poc/1.0
Content-Type: text/xml

<DeliveryRequest>
  <!-- Exploitation payload targeting CODEX_PULL and path traversal -->
</DeliveryRequest>

What makes this campaign particularly concerning is the absence of public proof-of-concept (PoC) code. The presence of structured XML payloads and a specific user-agent string (ibytransmit-lab-poc/1.0) originating from French hosting provider PacketHub S.A. (IP 45.84.137.125) indicates that threat actors are using privately developed, purpose-built exploit tooling. The sustained volume of scanning, exceeding 400 daily events across North America, Asia, and Europe, indicates a coordinated effort to locate and compromise unpatched systems before defenders can react.

The ERP Target on Every Ransomware Radar

Enterprise Resource Planning (ERP) platforms like Oracle EBS and PeopleSoft are the ultimate targets for modern extortion groups. They house the financial ledgers, payment pipelines, HR records, and intellectual property of global enterprises.

This is not an isolated incident. The exploitation of CVE-2026-46817 follows a well-established pattern of threat actors systematically auditing enterprise ERP suites:

  • The Clop Campaign (CVE-2025-61882): Starting in August 2025, the Clop ransomware gang exploited a zero-day in the EBS Concurrent Processing and BI Publisher components. The group successfully breached over 100 environments, including targets like Logitech, the Washington Post, and several major U.S. universities.
  • The PeopleSoft Zero-Day (CVE-2026-35273): Between May and June 2026, the ShinyHunters extortion group exploited an unauthenticated remote code execution (RCE) vulnerability in PeopleSoft's PeopleTools. The campaign resulted in data breaches at Nissan, Nottingham University, and the National Association of Insurance Commissioners (NAIC).
  • CISA KEV Additions: CISA has added 44 Oracle-specific vulnerabilities to its Known Exploited Vulnerabilities catalog since late 2021, with over a dozen actively utilized by ransomware syndicates.

When these systems are compromised, the impact is rarely limited to a single server. Attackers use the initial foothold in the ERP environment to pivot to active directory controllers, database backups, and internal payment networks.

Developer and Operator Action Plan

If your infrastructure touches Oracle EBS, you must assume you are actively being scanned. The vulnerability affects EBS versions 12.2.3 through 12.2.15.

1. Apply the May 2026 CSPU

The most effective defense is to apply the patch released by Oracle on May 28, 2026. This patch updates the underlying File Transmission libraries to properly sanitize incoming XML payloads and restrict unauthorized file access.

2. Restrict Network Exposure

There is rarely a legitimate business reason for an Oracle EBS payment gateway endpoint to be directly exposed to the public internet.

  • Place all EBS instances behind a VPN or an identity-aware proxy.
  • Implement strict IP whitelisting at the firewall or Web Application Firewall (WAF) level to ensure only trusted partner networks can reach /OA_HTML/ibytransmit.

3. Implement WAF and IDS Rules

If immediate patching is not possible due to enterprise change-control cycles, configure your perimeter defenses to inspect and block malicious traffic.

  • URI Filtering: Block or heavily restrict access to /OA_HTML/ibytransmit from untrusted external IPs.
  • Payload Inspection: Write WAF rules to inspect POST requests to the iPayment endpoint. Look for anomalous XML structures, references to CODEX_PULL, and directory traversal sequences (such as ../ or absolute system paths).
  • Signature Matching: Monitor network logs for the user-agent ibytransmit-lab-poc/1.0 and block traffic originating from IP 45.84.137.125. Note that sophisticated actors will quickly rotate user-agents and IP addresses, so this should only be treated as a temporary indicator of compromise.

The Reality of Legacy Enterprise Stacks

Securing legacy enterprise software is notoriously difficult. Oracle EBS environments are often heavily customized, meaning that applying a critical security patch requires extensive regression testing to ensure core business workflows do not break. Threat actors understand this operational friction and exploit the gap between patch release and deployment.

However, when the vulnerability allows unauthenticated system takeover with zero user interaction, the risk of patch-induced downtime is vastly outweighed by the risk of a catastrophic ransomware deployment. If you cannot patch your EBS instance today, you must isolate it from the internet immediately.

Sources & further reading

  1. Over 900 Oracle E-Business instances exposed to ongoing attacks — bleepingcomputer.com
  2. Critical Oracle E-Business Suite Bug Lets Attackers Hijack Enterprise Systems — cyberpress.org
  3. Critical Oracle E-Business Suite Flaw Exploited for Unauthenticated Takeover | Mallory — mallory.ai
Emeka Okafor
Written by
Emeka Okafor · Security Editor

Emeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read.

Discussion 0

Join the discussion

Sign in or create an account to comment and vote.

No comments yet

Be the first to weigh in.

Related Reading