Executive Summary
CVE-2026-46817 is a critical, remotely exploitable vulnerability in the Oracle E-Business Suite (EBS), specifically targeting the Oracle Payments File Transmission component. This flaw enables unauthenticated remote attackers to fully compromise the affected system via HTTP, resulting in a complete loss of confidentiality, integrity, and availability for the Oracle Payments module. The vulnerability is rated CVSS 9.8 (Critical) and impacts Oracle E-Business Suite versions 12.2.3 through 12.2.15. Multiple threat intelligence sources confirm that this vulnerability is being actively exploited in the wild, with real-world breaches such as the recent Nissan payroll data compromise. The exploitation is part of a broader campaign by sophisticated threat actors, including initial access brokers like DriveSurge, who are leveraging this flaw to gain unauthorized access and facilitate further attacks, including ransomware and data theft. Immediate patching and comprehensive supply chain risk management are essential to mitigate the threat posed by this vulnerability.
Threat Actor Profile
The primary threat actors exploiting CVE-2026-46817 are sophisticated cybercriminal groups specializing in initial access brokerage and pay-per-install malware distribution. Notably, the DriveSurge group has been identified as a key player in leveraging this vulnerability. DriveSurge operates by compromising legitimate websites and enterprise applications, injecting malicious code, and selling access to compromised environments to other criminal entities, including ransomware operators and credential theft syndicates. Their campaigns are characterized by the use of advanced traffic distribution systems (zTDS), deceptive browser update prompts (FakeUpdates), and fake CAPTCHA/error pages (ClickFix) to facilitate infection and lateral movement. While there is no direct attribution to nation-state actors at this time, the tactics, techniques, and procedures (TTPs) observed align with those used by highly organized cybercrime groups with a focus on monetizing access to high-value enterprise targets.
Technical Analysis of Malware/TTPs
CVE-2026-46817 is rooted in multiple security weaknesses, including CWE-269 (Improper Privilege Management), CWE-287 (Improper Authentication), and CWE-306 (Missing Authentication for Critical Function). The vulnerability allows remote, unauthenticated attackers to send specially crafted HTTP requests to the Oracle Payments File Transmission interface, bypassing authentication controls and executing arbitrary commands with elevated privileges. This results in a full compromise of the Oracle Payments environment, enabling attackers to exfiltrate sensitive financial data, manipulate payment instructions, and establish persistent access for further exploitation.
The exploitation chain observed in the wild involves the following TTPs: attackers scan for exposed Oracle E-Business Suite instances, particularly those running vulnerable versions (12.2.3 through 12.2.15). Upon identifying a target, they deliver malicious payloads via HTTP, leveraging the authentication bypass to gain initial access. Post-compromise, threat actors deploy web shells or remote access tools to maintain persistence and facilitate lateral movement within the victim’s network. In campaigns attributed to DriveSurge, compromised environments are further monetized by redirecting users through zTDS infrastructure, presenting FakeUpdates or ClickFix lures to deliver additional malware or harvest credentials.
Indicators of compromise (IOCs) associated with these campaigns include unusual outbound HTTP requests from Oracle EBS servers, the presence of unauthorized scripts or files in Oracle Payments directories, and connections to known zTDS-related domains and IP addresses. Organizations should also monitor for signs of data exfiltration, particularly involving payroll, HR, or financial records.
Exploitation in the Wild
Active exploitation of CVE-2026-46817 has been confirmed by multiple threat intelligence sources. Defused, a leading threat intelligence firm, reported observing exploitation attempts against Oracle EBS honeypots, confirming that attackers are actively targeting this vulnerability. BleepingComputer and The Register have documented ongoing attacks, including a high-profile breach at Nissan, where attackers accessed payroll records, bank details, and social security numbers. The breach window aligns with the public disclosure and exploitation timeline of CVE-2026-46817.
The DriveSurge campaign exemplifies the broader threat landscape, with attackers leveraging Oracle EBS vulnerabilities to gain initial access and subsequently selling this access to other criminal groups. Infection chains often involve redirection through zTDS infrastructure, deployment of FakeUpdates and ClickFix lures, and the injection of malicious JavaScript into legitimate web applications. These techniques enable attackers to maximize the impact of their campaigns, targeting both direct Oracle EBS users and organizations connected via supply chain relationships.
Exposure analysis by Shadowserver indicates that over 450 Oracle EBS instances are exposed online, with nearly 200 located in the US and Europe. The true extent of vulnerable, unpatched systems remains unknown, underscoring the urgency of immediate remediation efforts.
Victimology and Targeting
The exploitation of CVE-2026-46817 has primarily targeted organizations in the automotive, financial, payroll, and higher education sectors, with a particular focus on entities operating in the United States, Canada, Mexico, Brazil, and Europe. The breach at Nissan highlights the risk to large enterprises with complex payroll and HR systems, but the threat extends to any organization utilizing Oracle E-Business Suite or related platforms such as PeopleSoft.
Supply chain risk is a significant concern, as organizations may be indirectly impacted if their service providers, payroll bureaus, or financial software vendors utilize vulnerable Oracle EBS instances. The interconnected nature of enterprise IT environments means that a single compromised supplier can have cascading effects across multiple organizations, amplifying the potential impact of this vulnerability.
Historical context indicates that similar Oracle EBS and PeopleSoft vulnerabilities have been exploited by groups such as Clop and ShinyHunters, who focus on data theft and extortion. While no direct attribution to these groups has been made for CVE-2026-46817, the tactics observed are consistent with their previous campaigns.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2026-46817. Organizations should apply the Oracle May 2026 Critical Patch Update (CPU) to all affected Oracle E-Business Suite instances (versions 12.2.3 through 12.2.15) without delay. For environments managed by third-party service providers, obtain written confirmation that the patch has been applied and verify remediation through technical validation.
Supply chain diligence is critical. Request patch status updates from all critical suppliers, payroll bureaus, and financial software providers utilizing Oracle E-Business Suite or PeopleSoft. Restrict public internet access to Oracle EBS instances wherever possible, implementing network segmentation and access controls to limit exposure.
Enhance web filtering to block known zTDS redirect infrastructure and monitor for connections to suspicious domains and IP addresses associated with DriveSurge and related campaigns. Conduct regular security awareness training for staff, emphasizing the identification and reporting of suspicious browser update prompts, fake CAPTCHAs, and other social engineering tactics.
Monitor for indicators of compromise, including unusual outbound HTTP requests from Oracle EBS servers, unauthorized files or scripts in Oracle Payments directories, and signs of data exfiltration involving payroll or financial records. Leverage endpoint detection and response (EDR) solutions and network monitoring tools to detect and respond to anomalous activity.
References
NVD CVE-2026-46817 Oracle Security Advisory BleepingComputer: Oracle EBS flaw exploited The Register: Nissan breach Silent Push: DriveSurge Campaign The Small Business Cybersecurity Guy: Threat Analysis
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and risk analytics empower security teams to proactively identify vulnerabilities, manage supplier risk, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization, or if you have any questions regarding this advisory, please contact us at info@rescana.com.
