Cyber Threat Brief — July 1 2026

⚠️ This report is AI-generated. Always validate findings.

1. Oracle E-Business Suite Payments Takeover — CVE-2026-46817

TL;DR: CVSS 9.8 unauthenticated takeover of Oracle Payments via File Transmission component, actively exploited since June 27 by DriveSurge initial access broker. 456 attacks recorded in first 24 hours across Shadowserver honeypots.

What’s New:

  • Unauthenticated HTTP access to /OA_HTML/ibytransmit endpoint exploits iPayment File Transmission — crafted <DeliveryRequest> XML with CODEX_PULL scheme reads arbitrary files or achieves full system compromise
  • DriveSurge IAB monetizes access via zTDS infrastructure → FakeUpdates/ClickFix lures → credential harvesting and ransomware handoff
  • 450+ internet-exposed Oracle EBS instances (Shadowserver); 193 hits in North America, 181 in Asia in first 24 hours
  • Patched in Oracle May 2026 Critical Patch Update; affects EBS 12.2.3–12.2.15
  • Nissan payroll data breach attributed to this exploitation campaign

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST /OA_HTML/ibytransmitURI patternT1190WAF / reverse proxyBlock unauthenticated POST; alert on any external source
45.84.137[.]125Attacker IPT1190Firewall / IDSBlock + hunt historical connections
ibytransmit-lab-poc/1.0User-AgentT1190WAF / proxy logsAlert — PoC scanner fingerprint
CODEX_PULL in XML bodyPayload markerT1190WAF deep inspectionAlert on DeliveryRequest XML containing file path params
zTDS redirect domainsInfrastructureT1102DNS / proxyMonitor for FakeUpdates/ClickFix redirect chains from EBS servers

Detection

SourceRuleGap
Splunk ESCUNoneNo Oracle EBS-specific rule; need HTTP POST to /OA_HTML/ibytransmit with anomalous XML body
ElasticNoneNo coverage for Oracle EBS iPayment exploitation
SigmaNoneNeed web_access rule matching POST to ibytransmit endpoint with CODEX_PULL payload

Sources: BleepingComputer · The Hacker News · SecurityWeek · Secure Bulletin · Defused Cyber


2. Progress Kemp LoadMaster Pre-Auth RCE — CVE-2026-8037

TL;DR: CVSS 9.8 pre-auth RCE in Kemp LoadMaster via uninitialized heap + missing null terminator in escape_quotes(). Full watchTowr exploit chain published June 29 — exploitation imminent given appliance exposure and exploit quality.

What’s New:

  • escape_quotes() uses malloc() (uninitialized buffer) instead of calloc() and omits null terminator after escaped output — sprintf()/system() chain reads past buffer into attacker-controlled heap data
  • Heap spray places command fragment in adjacent chunk → shell command injection as root
  • watchTowr Labs full technical writeup dropped June 29 with exploit chain walkthrough
  • Affects GA v7.2.63.1 and earlier, LTSF v7.2.54.17 and earlier when API is enabled
  • Fixed in GA v7.2.63.2 / LTSF v7.2.54.18 (patch swaps malloccalloc + adds null terminator)
  • No ITW exploitation yet per Progress; high weaponization likelihood given PoC quality

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
LoadMaster API endpointAttack surfaceT1190Network / firewallRestrict API access to management VLAN; block external API access
Crafted API requests with shell metacharactersExploit patternT1059.004LoadMaster syslog / WAFAlert on single-quote sequences in API parameters
Root shell spawned by LoadMaster processPost-exploitT1059.004EDR / syslogAlert on unexpected child processes from LoadMaster daemon
v7.2.63.1 or earlierVersionT1190Asset inventoryPatch immediately to v7.2.63.2+

Detection

SourceRuleGap
Splunk ESCUNoneNo LoadMaster-specific rule; need API abuse + command injection pattern
ElasticNoneNo coverage for Kemp LoadMaster exploitation
SigmaNoneNeed network appliance command injection rule for LoadMaster API

Sources: watchTowr Labs · The Hacker News · CyberSecurityNews · Progress Advisory


Status Updates

  • CVE-2026-48558 (SimpleHelp RMM): Federal remediation deadline approaching. Djinn Stealer campaign ongoing — targets AI assistant MCP configs, cloud creds, dev tooling. Patch to 5.5.16+. Previous brief.