Cyber Threat Brief — July 1 2026
⚠️ This report is AI-generated. Always validate findings.
1. Oracle E-Business Suite Payments Takeover — CVE-2026-46817
TL;DR: CVSS 9.8 unauthenticated takeover of Oracle Payments via File Transmission component, actively exploited since June 27 by DriveSurge initial access broker. 456 attacks recorded in first 24 hours across Shadowserver honeypots.
What’s New:
- Unauthenticated HTTP access to
/OA_HTML/ibytransmitendpoint exploits iPayment File Transmission — crafted<DeliveryRequest>XML withCODEX_PULLscheme reads arbitrary files or achieves full system compromise - DriveSurge IAB monetizes access via zTDS infrastructure → FakeUpdates/ClickFix lures → credential harvesting and ransomware handoff
- 450+ internet-exposed Oracle EBS instances (Shadowserver); 193 hits in North America, 181 in Asia in first 24 hours
- Patched in Oracle May 2026 Critical Patch Update; affects EBS 12.2.3–12.2.15
- Nissan payroll data breach attributed to this exploitation campaign
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /OA_HTML/ibytransmit | URI pattern | T1190 | WAF / reverse proxy | Block unauthenticated POST; alert on any external source |
45.84.137[.]125 | Attacker IP | T1190 | Firewall / IDS | Block + hunt historical connections |
ibytransmit-lab-poc/1.0 | User-Agent | T1190 | WAF / proxy logs | Alert — PoC scanner fingerprint |
CODEX_PULL in XML body | Payload marker | T1190 | WAF deep inspection | Alert on DeliveryRequest XML containing file path params |
| zTDS redirect domains | Infrastructure | T1102 | DNS / proxy | Monitor for FakeUpdates/ClickFix redirect chains from EBS servers |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Oracle EBS-specific rule; need HTTP POST to /OA_HTML/ibytransmit with anomalous XML body |
| Elastic | None | No coverage for Oracle EBS iPayment exploitation |
| Sigma | None | Need web_access rule matching POST to ibytransmit endpoint with CODEX_PULL payload |
Sources: BleepingComputer · The Hacker News · SecurityWeek · Secure Bulletin · Defused Cyber
2. Progress Kemp LoadMaster Pre-Auth RCE — CVE-2026-8037
TL;DR: CVSS 9.8 pre-auth RCE in Kemp LoadMaster via uninitialized heap + missing null terminator in escape_quotes(). Full watchTowr exploit chain published June 29 — exploitation imminent given appliance exposure and exploit quality.
What’s New:
escape_quotes()usesmalloc()(uninitialized buffer) instead ofcalloc()and omits null terminator after escaped output —sprintf()/system()chain reads past buffer into attacker-controlled heap data- Heap spray places command fragment in adjacent chunk → shell command injection as root
- watchTowr Labs full technical writeup dropped June 29 with exploit chain walkthrough
- Affects GA v7.2.63.1 and earlier, LTSF v7.2.54.17 and earlier when API is enabled
- Fixed in GA v7.2.63.2 / LTSF v7.2.54.18 (patch swaps
malloc→calloc+ adds null terminator) - No ITW exploitation yet per Progress; high weaponization likelihood given PoC quality
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| LoadMaster API endpoint | Attack surface | T1190 | Network / firewall | Restrict API access to management VLAN; block external API access |
| Crafted API requests with shell metacharacters | Exploit pattern | T1059.004 | LoadMaster syslog / WAF | Alert on single-quote sequences in API parameters |
| Root shell spawned by LoadMaster process | Post-exploit | T1059.004 | EDR / syslog | Alert on unexpected child processes from LoadMaster daemon |
v7.2.63.1 or earlier | Version | T1190 | Asset inventory | Patch immediately to v7.2.63.2+ |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No LoadMaster-specific rule; need API abuse + command injection pattern |
| Elastic | None | No coverage for Kemp LoadMaster exploitation |
| Sigma | None | Need network appliance command injection rule for LoadMaster API |
Sources: watchTowr Labs · The Hacker News · CyberSecurityNews · Progress Advisory
Status Updates
- CVE-2026-48558 (SimpleHelp RMM): Federal remediation deadline approaching. Djinn Stealer campaign ongoing — targets AI assistant MCP configs, cloud creds, dev tooling. Patch to 5.5.16+. Previous brief.