Critical Unauthenticated Remote Takeover in Oracle E-Business Suite CVE-2026-46817
CVE-2026-46817 is a critical authentication bypass vulnerability residing within the Oracle Payments component of the Oracle E-Business Suite (EBS). Rated with a CVSS v3.1 score of 9.8, this flaw permits unauthenticated remote attackers to circumvent security protocols and achieve full administrative or root-level control over the EBS instance. Research from Defused Cyber confirms that the vulnerability is currently being exploited in the wild. By targeting specific vulnerable API endpoints, adversaries can compromise the integrity of corporate financial records, payment processing workflows, and sensitive enterprise PII, posing a systemic risk of ransomware deployment and long-term persistence within ERP environments.
Zero-Day Exploitation of Oracle PeopleSoft by UNC6240
UNC6240 (ShinyHunters) conducted a zero-day exploitation campaign targeting Oracle PeopleSoft (PeopleTools 8.61 and 8.62) between May 27 and June 9, 2026. The actors exploited CVE-2026-35273, a critical Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the Updates Environment Management component, to achieve unauthenticated Remote Code Execution (RCE). Following initial access, the group deployed MeshCentral remote management agents disguised as Microsoft Azure services to maintain persistence and perform reconnaissance. Data was compressed using 'zstd' and exfiltrated for extortion on the ShinyHunters Data Leak Site. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026, following widespread targeting of the higher education sector.