Oracle E-Business Suite CVE-2026-46817 CVSS 9.8 actively exploited before any public PoC existed, targeting the Payments file transmission component  ·  Progress Kemp LoadMaster CVE-2026-8037 CVSS 9.8 has a full watchTowr exploit chain public, not yet exploited  ·  npm announces mandatory MFA and automated provenance checks in its July security overhaul  ·  CYBERSIP.NET  ·  ISSUE 76
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 76July 1, 2026cybersip.net
Issue No. 76  ·  July 1, 2026  ·  3 active items  ·  Under 5 min read
Today’s picture
Defused Cyber confirmed on Monday that CVE-2026-46817, a CVSS 9.8 unauthenticated HTTP takeover flaw in Oracle Payments, was first exploited on June 27, roughly six weeks after Oracle patched it and before any public proof-of-concept existed. The initial activity was a single source running a targeted file-read against the Payments component on Defused’s honeypots, consistent with an attacker validating a privately built exploit rather than broad automated scanning. Shadowserver tracks over 450 internet-facing Oracle EBS instances. Progress Kemp LoadMaster has a CVSS 9.8 pre-authentication command injection flaw, CVE-2026-8037, for which watchTowr Labs published a full technical exploit walkthrough on Sunday. No exploitation has been reported yet but a previous critical LoadMaster flaw was actively exploited in the wild within weeks of public disclosure. npm announced today that it will require mandatory two-factor authentication for all maintainers with publish rights and introduce automated provenance attestation checks across the registry starting in July, a direct response to supply chain attacks including the Mastra compromise from Issue 66.
Threat snapshot
3 active items · 2 monitoring
Oracle EBS CVE-2026-46817 / CVSS 9.8 / exploited before public PoC Kemp LoadMaster CVE-2026-8037 / CVSS 9.8 / full PoC public / not yet exploited npm security overhaul / mandatory MFA / provenance checks / July 3 items this issue
June 27–30Oracle EBSCVSS 9.8Actively Exploited
Oracle E-Business Suite CVE-2026-46817 actively exploited before any public PoC existed. A single unauthenticated HTTP request can take over Oracle Payments. First observed on Defused honeypots June 27. Apply Oracle’s May 2026 Critical Security Patch Update now.
The targeted component is Oracle Payments’ File Transmission module, which formats and transmits ACH batches, wire transfers, and EFT payment instructions directly to financial institutions. The initial activity observed was a targeted file-read to confirm the exploit worked rather than broad scanning. Any internet-facing Oracle EBS instance left unpatched after May 28 should be treated as potentially compromised. Review logs for suspicious POST requests to /OA_HTML/ibytransmit.
June 29Kemp LoadMasterFull PoC Public
Progress Kemp LoadMaster CVE-2026-8037 CVSS 9.8: watchTowr publishes a full exploit walkthrough. Unauthenticated pre-auth root command execution via the API. Patch available. Not yet exploited in the wild, but the previous LoadMaster critical flaw reached KEV within weeks.
The flaw is a heap uninitialized memory and missing null-terminator bug in escape_quotes() that lets command injection bypass sanitization via the /accessv2 API endpoint. Affects GA v7.2.63.1 and earlier, LTSF v7.2.54.17 and earlier. Patch now and audit whether the LoadMaster API needs to be internet-accessible at all.
Todaynpm
npm announces a July security overhaul: mandatory MFA for all maintainers with publish rights, automated provenance attestation, and tighter account takeover detection. A direct response to supply chain attacks including the Mastra compromise.
The changes address the root cause exploited in the Mastra/Sapphire Sleet attack and the earlier Axios compromise: a hijacked maintainer account with no second factor blocking unauthorized publishing. npm will also begin flagging packages that cannot produce build provenance attestations.
Detailed intelligence
Full analysis
01 Oracle EBS CVSS 9.8 Actively Exploited
Oracle E-Business Suite CVE-2026-46817 exploited before any public PoC. An attacker built this exploit from scratch against the May patch. Targets Oracle Payments, the module that transmits payment instructions to financial institutions.
CVE-2026-46817 · CVSS 9.8 · Oracle Payments
Defused Cyber reported on Monday that its Oracle EBS decoys recorded the first in-the-wild exploitation of CVE-2026-46817 on June 27, roughly six weeks after Oracle’s May 2026 Critical Security Patch Update and before any public proof-of-concept was published. The flaw is improper privilege management and missing authentication in Oracle Payments’ File Transmission component, allowing a complete unauthenticated takeover via HTTP.
Executive Impact
Oracle Payments sits inside Oracle E-Business Suite and is responsible for formatting and transmitting ACH batches, wire transfers, and electronic payment files directly to banks and financial institutions. A compromised Oracle Payments instance gives an attacker access to payment data and the ability to intercept, read, or modify payment instructions. Apply Oracle’s May 2026 Critical Security Patch Update immediately. Any internet-facing Oracle EBS instance that was unpatched between May 28 and now should be treated as potentially compromised. Review logs for POST requests to /OA_HTML/ibytransmit and for unexpected file access in the Payments file transmission working directories.
Don’t Miss
The absence of a public PoC at the time of exploitation is the analytically significant detail in this story. It tells us the attacker independently reverse-engineered the fix from Oracle’s May patch diff and built a working exploit, a capability associated with sophisticated financially motivated groups and nation-state actors rather than opportunistic script-based scanning. Defused specifically described the observed activity as a targeted proof-of-concept rather than broad scanning, with a single source testing file-read capability against the Payments component. Oracle has a documented history as a high-value target: CVE-2025-61882 in Oracle EBS was exploited by Cl0p ransomware actors, and CVE-2026-35273 in PeopleSoft was exploited by ShinyHunters, which subsequently confirmed Nissan as a victim. CVE-2026-46817 follows that pattern directly. An Oracle enterprise application vulnerability with a 9.8 score patched in May and now actively exploited in June with no public PoC means the attacker community has invested specifically in Oracle enterprise products as a target class.
CyberSip Take
Three Oracle enterprise application vulnerabilities with confirmed exploitation in the last year: Cl0p targeting EBS, ShinyHunters targeting PeopleSoft, and now an unattributed actor targeting Oracle Payments before a public PoC existed. Oracle ERP, HR, and financial platforms are clearly being treated as a priority attack surface by multiple independent threat actors. Patching Oracle products on a normal quarterly cycle is no longer adequate. Apply the May CSPU now, treat any exposed instance as potentially compromised, and review whether Oracle EBS web interfaces need to be internet-facing at all.
What happened

Oracle released its May 2026 Critical Security Patch Update on May 28, addressing 77 vulnerabilities including CVE-2026-46817 in Oracle E-Business Suite. The vulnerability is in the File Transmission component of Oracle Payments and is caused by improper privilege management, improper authentication, and missing authentication for a critical function. Oracle describes it as easily exploitable by an unauthenticated attacker with network access via HTTP, with successful exploitation resulting in complete takeover of Oracle Payments.

On June 27, 2026, Defused Cyber’s Oracle EBS honeypots recorded the first in-the-wild exploitation of CVE-2026-46817. Defused described it as a single source running an unauthenticated file-read against the Payments component, consistent with targeted proof-of-concept testing by an attacker validating a privately built exploit rather than automated broad scanning. No public proof-of-concept existed at that time, meaning whoever performed the exploitation derived their exploit from the Oracle patch diff independently.

This follows a well-established pattern in Oracle enterprise software targeting. CVE-2025-61882, a previous Oracle EBS critical flaw, was exploited by Cl0p ransomware operators. CVE-2026-35273 in Oracle PeopleSoft was exploited by ShinyHunters in a campaign that confirmed Nissan as a victim. Shadowserver tracked over 450 internet-exposed Oracle EBS instances as of the time of reporting. Organizations should assume that any unpatched internet-accessible EBS instance may have been subject to exploitation attempts since June 27.

Recommended actions
Derived from The Hacker News, BleepingComputer, Help Net Security, and Defused Cyber reporting on CVE-2026-46817, June 30 and July 1, 2026.
02 Kemp LoadMaster Full PoC Public
Progress Kemp LoadMaster CVE-2026-8037 CVSS 9.8: a full public exploit chain published by watchTowr. Unauthenticated pre-auth root command execution via the API. Not yet confirmed exploited, but the previous LoadMaster critical flaw was quickly weaponized.
CVE-2026-8037 · CVSS 9.8 · Kemp LoadMaster
watchTowr Labs published a detailed technical write-up with a working exploit chain on June 29. The flaw lives in the escape_quotes() function in LoadMaster’s API handling code. An uninitialized heap buffer combined with a missing null terminator allows command injection via the /accessv2 endpoint, bypassing the sanitization the function was meant to provide. No exploitation in the wild has been reported as of today.
Executive Impact
Kemp LoadMaster sits at the network edge, distributing traffic across servers and functioning as an application delivery controller and load balancer. A pre-auth root command execution flaw in that position gives an attacker a foothold before they reach any internal application. Update LoadMaster to a build that resolves CVE-2026-8037 immediately. Affects GA release v7.2.63.1 and earlier, and LTSF release v7.2.54.17 and earlier. If the LoadMaster API is not required to be internet-accessible, restrict it to internal management networks as an additional control regardless of patch status. Progress also patched a second high-severity flaw in the same advisory, CVE-2026-33691, a WAF bypass via whitespace padding in filenames.
Don’t Miss
This is not LoadMaster’s first critical exploitation incident. CISA added a previous LoadMaster command injection flaw, CVE-2024-1212, rated CVSS 10.0, to its Known Exploited Vulnerabilities catalog in November 2024 after confirmed exploitation in the wild. Progress also patched five additional high-severity LoadMaster flaws in April 2026, four of them command injection issues. LoadMaster has now produced seven high or critical severity vulnerabilities in the last eighteen months, three of them command injection flaws in its API or management surface. The recurrence pattern here matches what this brief has documented with Fortinet, Cisco SD-WAN, and Ivanti: products at the network edge accumulate high-severity vulnerability backlogs that attract sustained attacker research attention once the first significant exploitation is documented. watchTowr named this briefing title “Enterprise Tech In, Shell Out” for a reason.
CyberSip Take
A CVSS 9.8 pre-auth root flaw in a network edge appliance from a vendor whose previous critical flaw reached CISA KEV, with a full public exploit chain now available. The window between a watchTowr write-up and active exploitation has consistently been measured in days across the cases this brief has tracked. Patch LoadMaster now and assess whether its API needs to be internet-accessible at all, which is the question that determines whether an unpatched instance is directly exploitable or merely an internal risk.
What happened

Progress published a security advisory on June 4, 2026 describing a command injection remote code execution vulnerability in Kemp LoadMaster’s API, CVE-2026-8037. The advisory affected GA release v7.2.63.1 and earlier and LTSF release v7.2.54.17 and earlier. On June 29, watchTowr Labs published a full technical breakdown of the vulnerability with a working exploit chain, marking the first public detailed analysis of the flaw.

The vulnerability lives in a function called escape_quotes() that is supposed to sanitize user input before it is passed to a shell command via the /accessv2 API endpoint. The function has two implementation defects. It uses malloc() to allocate a new buffer for the escaped output, leaving the buffer uninitialized, and it neglects to write a null terminator after generating the escaped string. When the escaped pointer is subsequently used in a sprintf and system() call chain to build a command line, the missing null terminator allows sprintf to read past the intended buffer into adjacent heap memory. Because malloc can return previously freed chunks that still hold controlled data, an attacker can position command fragments in adjacent heap memory that get incorporated into the executed command, achieving injection despite the attempted sanitization.

Progress reported no exploitation of CVE-2026-8037 as of its advisory date. No exploitation has been confirmed in the wild as of today. However, CVE-2024-1212, a previous LoadMaster critical command injection flaw, was added to CISA’s Known Exploited Vulnerabilities catalog in November 2024 after confirmed exploitation. The public watchTowr exploit significantly reduces the time and capability required for any attacker to weaponize CVE-2026-8037.

Recommended actions
Derived from The Hacker News, Cyber Security News, and watchTowr Labs blog on CVE-2026-8037, June 29 and July 1, 2026.
03 npm July Overhaul
npm announces mandatory MFA for all maintainers with publish rights and automated provenance attestation checks starting in July. Addresses the root cause exploited in the Mastra and Axios supply chain attacks.
npm · GitHub · July 2026
Cybernews reports today that npm will push through a major security update in July covering three areas: mandatory two-factor authentication for any account with npm publish rights, automated verification of build provenance attestations for packages flagged as high-impact, and enhanced account takeover detection using behavioral signals. The announcement comes directly after the Mastra and Axios supply chain compromises attributed to North Korean Sapphire Sleet.
Executive Impact
For organizations consuming npm packages, the changes improve the baseline security of the registry without requiring any consumer-side action. For teams that maintain npm packages, the key preparation step is ensuring that all accounts holding publish access to your organization’s packages have phishing-resistant MFA enrolled before the July enforcement deadline. Hardware security keys or passkeys are the recommended form of MFA given that the Mastra attack used a social engineering technique that can bypass SMS and authenticator-app MFA by compromising the device running the authenticator.
Don’t Miss
The provenance attestation check is the more structurally significant of the two changes. Mandatory MFA closes the hijacked-account vector, but it does not stop an insider threat or an attacker who compromises the developer’s entire machine as Sapphire Sleet did with the Mastra maintainer. Provenance attestation creates a cryptographic link between a published package version and the specific CI/CD build that produced it, making it detectable when a package is published from a compromised developer machine rather than a verified build pipeline. If the Mastra packages had required provenance attestation, the packages published during the June 17 attack window from the compromised maintainer’s machine rather than from the standard build pipeline would have failed attestation checks before reaching consumers. The change does not eliminate all supply chain risk, but it closes the specific gap that Sapphire Sleet exploited in both the Mastra and Axios attacks.
CyberSip Take
npm is responsible for over two million packages and roughly 800 million weekly downloads. These changes, if enforced consistently, address two of the three major vectors this brief has documented in npm supply chain attacks this year: the hijacked account, and the unverified build source. The third, the stale account with publish rights that nobody revoked, is partly addressed by MFA enforcement and partly requires a culture change in how open source projects manage contributor access. The announcement is a meaningful improvement. Whether the enforcement is consistent and complete is the question to watch over July.
What is changing

GitHub and npm announced today that a security overhaul for the npm registry will begin rolling out in July 2026. The changes were developed in response to a series of supply chain attacks against the npm ecosystem, including the Mastra framework compromise attributed to North Korean Sapphire Sleet in Issue 66 and the earlier Axios attack in April.

The first change is mandatory two-factor authentication for any npm account that holds publish access to a package. The requirement will be enforced at publish time, meaning an account without a registered second factor will be unable to publish package versions regardless of whether the package previously had no MFA requirement. npm will support hardware security keys, passkeys, and time-based one-time password authenticators. SMS-based verification will not satisfy the requirement given documented SIM-swapping risks.

The second change is automated provenance attestation verification for packages classified as high-impact based on download volume and dependency depth. Provenance attestation is a mechanism introduced by GitHub Actions and Sigstore that cryptographically links a specific package version to the exact build pipeline run that produced it. When a package is published with a provenance attestation, consumers and the registry can verify that the package was built by a known, trusted CI/CD workflow rather than published directly from an arbitrary machine. Packages that cannot produce attestations for new versions will be flagged in the registry interface.

The third change is enhanced account takeover detection using behavioral signals including publishing location, timing, and package content changes that deviate from a maintainer’s historical patterns.

Recommended actions
Derived from Cybernews reporting on the npm July security overhaul, July 1, 2026.
Still watching
Aging items · days 2–4
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
libssh2 CVE-2026-55200 CVSS 9.2 (Issue 75). Public PoC released, no official patched release yet. Apply a build containing commit 97acf3d. Restrict outbound SSH to trusted servers. Embedded in curl, Git, PHP, and appliances. Day 2
Amazon Q Developer CVE-2026-12957 (Issue 74). MCP auto-execution patched in Language Servers for AWS 1.69.0. Reload IDE to confirm update. Same class of flaw confirmed across Claude Code, Cursor, and Windsurf. Day 3
Cross-source standouts
01
Oracle enterprise software is now a documented high-priority target class for three separate threat actor groups
Cl0p exploited Oracle EBS CVE-2025-61882. ShinyHunters exploited Oracle PeopleSoft CVE-2026-35273, confirming Nissan as a victim. An unattributed but sophisticated actor exploited Oracle Payments CVE-2026-46817 before a public PoC existed. Three separate critical Oracle enterprise application vulnerabilities, three separate exploitation campaigns, all within approximately eight months. Oracle ERP, HR, payroll, and financial platforms hold the kind of data that directly enables ransomware monetization, extortion, and nation-state intelligence collection. The pattern is too consistent to treat as coincidence. Organizations running Oracle enterprise applications should apply CSPUs the week they ship rather than the week of the next scheduled maintenance window, and should treat any internet-exposed Oracle web interface as requiring active justification rather than passive tolerance.
02
npm’s July overhaul closes the attack vectors Sapphire Sleet used twice in the same quarter
The Axios attack in April. The Mastra attack in June. Both Sapphire Sleet. Both exploiting a hijacked maintainer account with no second factor and no provenance check on the published packages. Both delivering cryptocurrency-targeting malware to millions of downloads. The npm July overhaul with mandatory MFA and provenance attestation addresses both of those specific gaps. The fix arrives roughly ten weeks after the first confirmed attack. That timeline, from a confirmed supply chain incident on a major package to registry-level enforcement of the controls that would have prevented it, is the operational window that adversaries exploited twice. Whether npm can enforce these controls consistently at scale, and whether the controls hold against more sophisticated techniques like the device-level compromise Sapphire Sleet used against the Mastra maintainer, is the next question. The controls are necessary. They are not sufficient on their own.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.