Background
Oracle E-Business Suite (EBS) is Oracle’s flagship on-premises enterprise resource planning suite, in production at thousands of large organizations across finance, healthcare, government, and manufacturing. Oracle Payments is an EBS module that manages payment processing, financial file transmission, and funds disbursement. EBS deployments typically sit at the financial center of their organizations, with direct access to bank interfaces, payment processors, and accounts payable functions.
CVE-2026-46817 is a critical unauthenticated vulnerability in the Oracle Payments File Transmission component of Oracle EBS 12.2. An unauthenticated attacker with network access to the HTTP listener can achieve complete compromise of the Oracle Payments component. The CVSS 3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). CISA added this vulnerability to the Known Exploited Vulnerabilities catalog with a July 18, 2026 remediation deadline — one of the shortest remediation windows assigned to an EBS vulnerability, reflecting the severity and observed exploitation activity.
Technical Mechanism
The vulnerability involves a combination of authentication bypass (CWE-306: Missing Authentication for Critical Function) and improper privilege management (CWE-269: Improper Privilege Management), with the authentication weakness described under CWE-287 (Improper Authentication).
Oracle EBS’s web application tier exposes servlet-based endpoints for internal and inter-component communication. The Oracle Payments File Transmission component handles the upload, validation, and routing of payment instruction files — formats including ISO 20022 XML, NACHA ACH files, SWIFT MT messages, and proprietary bank file formats. These functions require privileged access in normal operation, but the vulnerability allows requests to reach and execute within this component without supplying valid credentials.
The exploitation pattern:
-
Authentication bypass: The attacker sends a crafted HTTP request to the EBS web application tier targeting the Payments File Transmission endpoint. The request bypasses authentication controls, likely through a path traversal to a servlet that performs insufficient authentication checking, or by exploiting a servlet filter that fails to enforce authentication for certain request patterns.
-
Function execution without privilege check: Once past authentication, the attacker can invoke server-side functions within the Payments component. Due to CWE-269, these functions run with the privileges of the Oracle EBS application service account rather than enforcing per-user privilege constraints.
-
Arbitrary code execution: The combination of unauthenticated access to privileged EBS functions enables the attacker to execute database queries, write files to the application server, or invoke OS-level commands through Oracle EBS’s built-in integration with the underlying database and OS.
Public proof-of-concept exploit code has been published on GitHub demonstrating unauthenticated takeover of the Oracle Payments component. The short gap between CISA KEV listing and the July 18 deadline reflects that exploitation tooling is in active circulation.
Real-World Exploitation Evidence
CISA’s Known Exploited Vulnerabilities listing confirms active exploitation in the wild. The July 18 deadline — set at the time of KEV listing — is among the shortest remediation windows for enterprise ERP vulnerabilities, indicating that exploitation is neither isolated nor theoretical.
Public exploit repositories on GitHub have demonstrated exploitation sequences targeting Oracle EBS 12.2 instances. The attack requires only network access to the EBS HTTP listener (typically TCP port 8000 or 443 for SSL-terminated deployments) and no credentials.
Oracle EBS is particularly attractive to financially motivated threat actors: it directly interfaces with payment systems, bank file transmission endpoints, and accounts payable. Successful exploitation provides a path to fraudulent payment instruction injection — modifying or creating outbound payment files before they are transmitted to banking infrastructure.
Impact Assessment
- Complete compromise of Oracle Payments File Transmission without authentication
- Potential modification or injection of payment instruction files (ACH, SWIFT, SEPA, proprietary bank formats)
- Arbitrary code execution in the context of the Oracle EBS application service account
- Access to EBS application database, including financial records, credentials, and configuration
- Lateral movement potential to connected database servers and network-accessible Oracle services
- In environments with live bank file transmission: potential for fraudulent payment file injection into banking channels
Affected Versions
| Product | Affected Versions | Fixed In | Patch |
|---|---|---|---|
| Oracle E-Business Suite 12.2 | 12.2.3 through 12.2.15 | Oracle Critical Patch Update July 2026 | Oracle CPU July 2026 |
| Oracle E-Business Suite 12.1 | Versions prior to 12.1.3 end-of-life | No patch (EOL) | Upgrade required |
| Oracle E-Business Suite 11i | End of Extended Support | No patch (EOL) | Upgrade required |
Oracle EBS 12.2.3 through 12.2.15 are confirmed affected. Oracle has not publicly confirmed whether 12.2.0 through 12.2.2 are affected; organizations on those releases should apply the CPU and consult My Oracle Support.
Remediation Steps
- Apply the Oracle Critical Patch Update (CPU) for July 2026 immediately. The patch is available through Oracle’s My Oracle Support portal. Oracle CPU patches for EBS are applied via AutoPatch (adpatch) or AD Online Patching (adop) for Online Patching-capable deployments:
# Apply Oracle CPU patch using AD Online Patching
adop phase=apply patches=<patch_number> apply_mode=hotpatch
-
Prioritize EBS instances with network-accessible HTTP listeners. If patching is not immediately achievable, restrict network access to the EBS application tier HTTP listener to known IP ranges using firewall rules or network access control lists. The Payments File Transmission endpoint should be accessible only from authorized AP and treasury systems.
-
Disable Oracle Payments File Transmission if not in active use. For EBS instances where the Payments File Transmission module is not operationally required, disable the component:
-- Check Payments File Transmission profile option status
SELECT profile_option_name, profile_option_value
FROM fnd_profile_option_values
WHERE profile_option_name LIKE '%IBY%FILE%';
-
Audit payment file transmission logs for unexpected activity since early July 2026. Review Oracle Payments transmission history for payment files created or transmitted outside of normal business hours or by unexpected initiators.
-
Review and rotate Oracle EBS application service account credentials if exploitation is suspected.
-
Check Oracle HTTP Server and Apache access logs for POST requests to Payments File Transmission servlet paths from unexpected source IPs.
Detection Guidance
Oracle EBS Access Log Analysis
Review Oracle HTTP Server access logs ($INST_TOP/logs/ora/10.1.3/Apache/access_log) for requests to Payments File Transmission servlet paths from unexpected source addresses:
grep -i "IBY\|Payments\|FileTransmission" $INST_TOP/logs/ora/10.1.3/Apache/access_log \
| grep -v "127.0.0.1\|<known_AP_server_IPs>" \
| grep " 200 "
Suspicious Indicators
- POST requests to Oracle Payments servlet paths (containing
IBY,iby, orPaymentFileTransmissionin the URI) originating from IP addresses outside expected application server ranges - Unusual database activity from the APPS schema during off-hours, particularly against
IBY_*tables - New payment files in Oracle Payments transmission directories not initiated by authorized ERP users
- Oracle EBS WF (workflow) events related to payment processing without corresponding business-layer initiating events
Oracle Database Audit
Enable or review Oracle Unified Auditing for access to payment-related schema objects:
-- Audit SELECT/INSERT on payment instruction tables
AUDIT SELECT, INSERT, UPDATE ON iby.iby_pay_instructions_all BY ACCESS;
AUDIT SELECT, INSERT, UPDATE ON iby.iby_ext_bank_accounts_b BY ACCESS;
Timeline
| Date | Event |
|---|---|
| 2026-07-15 | Oracle releases Critical Patch Update for July 2026 |
| 2026-07-15 | CVE-2026-46817 publicly disclosed as part of Oracle CPU |
| 2026-07-15 | CISA adds CVE-2026-46817 to Known Exploited Vulnerabilities catalog |
| 2026-07-18 | CISA BOD 26-04 remediation deadline for federal agencies |