CVE-2026-46817
Unauthenticated file read in Oracle E-Business Suite Payments
Our Oracle E-Business Suite decoys captured the first in-the-wild exploitation of CVE-2026-46817: six unauthenticated file-read attempts from a single source on 27 June 2026, roughly six weeks after Oracle’s May 2026 patch and before any public proof-of-concept existed.
What we're seeing
On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle’s May 2026 patch and before any public proof-of-concept existed.
The activity was a single source running an unauthenticated file-read against the Payments component: a targeted proof-of-concept, not broad scanning. The exact request, source, and tool identity are in the full report.
POST /OA_HTML/████████ HTTP/1.1 Host: <target> Content-Type: text/xml OapfDelEnvLen: <Content-Length> <DeliveryRequest> <CodePackage>oracle.apps.████.████.████████</CodePackage> <EntryPoint>████████</EntryPoint> <Parameter><Name>FULL_FILE_PATH</Name><Value>████████</Value></Parameter> </DeliveryRequest>
Early exploitation snapshot
A point-in-time view of the first wave after detection, captured 27 Jun 2026. Live activity is tracked in the console.
| Source IP | ASN / org | Country | Hits |
|---|---|---|---|
| 45.84.███.███ | AS██████ ████████ | EU | 6 |
See every source IP - live
The complete IOC list updates live as new sources hit our honeypots.
Sign up for the live feedExploitation timeline
- Jun 27 05:38 First file-pull observed; tool self-identified as ibytransmit-lab-poc/1.0
- Jun 27 07:08–07:33 Five further file-pulls from the same source; tool identity re-badged, exploit unchanged
Oracle E-Business is in our free feeds
Create a free account to see every attacking IP, full request captures, and live exploitation telemetry as it lands.
Create a free account →