Introduction
On July 15, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation in the wild. This update is binding for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 26-04, but the implications extend far beyond the federal government.
The addition of CVE-2026-46817 affecting Oracle E-Business Suite and CVE-2023-4346 targeting the KNX Protocol signals two distinct and dangerous attack surfaces: enterprise resource planning (ERP) systems and operational technology (OT) building automation. Given the confirmed active exploitation, security teams must treat these vulnerabilities as immediate emergency patching events to prevent data exfiltration, ransomware deployment, or physical disruption of facilities.
Technical Analysis
CVE-2026-46817: Oracle E-Business Suite Improper Privilege Management
This vulnerability impacts critical business logic within the Oracle E-Business Suite (EBS), a widely deployed ERP solution handling financials, supply chain, and HR data.
- Affected Component: Oracle E-Business Suite (specific versions currently under analysis by Oracle; patches released in July 2026 CPU).
- Vulnerability Type: Improper Privilege Management (CWE-269).
- Mechanism: The flaw allows a low-privilege authenticated user to interact with backend functions or APIs in an unintended manner. By manipulating specific HTTP requests to vulnerable EBS modules (often related to concurrent manager or admin workflows), an attacker can elevate their privileges to that of a system administrator.
- Exploitation Status: Confirmed Active Exploitation. CISA has observed threat actors leveraging this bug to establish persistence within ERP environments, likely facilitating financial fraud or data theft.
CVE-2023-4346: KNX Association KNX Protocol Connection Authorization
This vulnerability targets the KNX standard, the dominant protocol for building automation (HVAC, lighting, access control).
- Affected Component: KNX Protocol stacks utilizing "Connection Authorization Option 1."
- Vulnerability Type: Logic Error in Account Lockout (CWE-640).
- Mechanism: The implementation of the account lockout mechanism in Option 1 is flawed. While described as "overly restrictive," the security impact is a race condition or logic flaw that allows attackers to bypass the lockout entirely. This facilitates brute-force attacks against KNX gateways without triggering the intended security freezes, granting unauthorized access to building management systems.
- Exploitation Status: Confirmed Active Exploitation. This is a significant shift, indicating threat actors are actively targeting OT/IoT head-ends to pivot into corporate networks or disrupt physical environments.
Detection & Response
The following detection mechanisms are designed to identify active exploitation attempts against these specific vulnerabilities.
SIGMA Rules
---
title: Potential Oracle EBS Privilege Escalation - CVE-2026-46817
id: 8a2b3c4d-5e6f-7890-1234-5678abcdef90
status: experimental
description: Detects suspicious access patterns indicative of privilege management exploitation in Oracle E-Business Suite, focusing on admin module access by non-standard users.
references:
- https://www.cisa.gov/news-events/alerts/2026/07/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/16
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: web
product: apache
detection:
selection_uri:
cs-uri-query|contains:
- '/OA_HTML/AkFindShell.jsp'
- '/OA_HTML/OA.jsp?page='
selection_method:
cs-method: POST
selection_status:
sc-status: 200
filter_legit:
c-user|re: '^admin$|^sysadmin$'
condition: selection_uri and selection_method and selection_status and not filter_legit
falsepositives:
- Legitimate administrative testing by authorized personnel
level: high
---
title: KNX Protocol Brute Force or Anomaly - CVE-2023-4346
id: 1a2b3c4d-5e6f-7890-1234-5678abcdef91
status: experimental
description: Detects high-frequency or malformed KNX protocol traffic (UDP 3671) indicative of active exploitation attempts targeting the authorization lockout mechanism.
references:
- https://www.cisa.gov/news-events/alerts/2026/07/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/16
tags:
- attack.initial_access
- attack.t1190
- attack.ics
logsource:
category: network_connection
product: zeek
detection:
selection_port:
destination_port: 3671
selection_protocol:
protocol: udp
selection_anomaly:
packets|gt: 100
timeframe: 1m
condition: selection_port and selection_protocol and selection_anomaly
falsepositives:
- Misconfigured KNX discovery tools
- Heavy legitimate automation traffic during reboots
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for Oracle EBS Privilege Escalation attempts (CVE-2026-46817)
// Look for HTTP 200 responses on admin pages from non-admin IPs
let AdminPages = dynamic(['/OA_HTML/AkFindShell.jsp', '/OA_HTML/OA.jsp', '/pls/oracle']);
Syslog
| where Facility in ('Web', 'HTTP') or ProcessName contains 'httpd'
| parse Message with * "cs-uri-query=" UriQuery " " *
| parse Message with * "sc-status=" Status " " *
| parse Message with * "c-user=" User " " *
| where UriQuery has_any (AdminPages)
| where Status == '200'
| where User !~ 'admin' and User !~ 'sysadmin'
| project TimeGenerated, Computer, User, UriQuery, Message
| top 100 by TimeGenerated desc
// Hunt for KNX Protocol Anomalies (CVE-2023-4346)
// Correlate high packet counts on KNX ports
DeviceNetworkEvents
| where RemotePort == 3671
| summarize Count = count() by DeviceName, RemoteIP, bin(TimeGenerated, 1m)
| where Count > 100
| project TimeGenerated, DeviceName, RemoteIP, Count
Velociraptor VQL
-- Hunt for KNX related processes or unusual network utilities on OT gateways
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'knx'
OR Name =~ 'eibd'
OR CommandLine =~ '3671'
OR Name =~ 'netcat' OR Name =~ 'nc'
-- Hunt for Oracle EBS configuration files indicating version (Linux)
SELECT FullPath, Mtime, Size
FROM glob(globs='/*/u01/*/APPLTOP/*/.profile*')
WHERE Mtime > ago(date("-7d"))
Remediation Script (Bash)
#!/bin/bash
# Remediation and Detection Script for CVE-2026-46817 (Oracle EBS)
# Check for known vulnerable patch levels (Simulated Check)
echo "Checking Oracle E-Business Suite Patch Levels..."
# Define the patch ID required per July 2026 CPU (Example ID: 35984231)
REQUIRED_PATCH="35984231"
APPL_TOP="/u01/oracle/product/ebs" # Adjust to your environment
if [ -d "$APPL_TOP" ]; then
echo "Found APPL_TOP at $APPL_TOP"
# Example check: Querying AD patches (Simplified for demo)
# In production, use $AD_TOP/bin/ADOP to validate patches
if opatch lsinventory | grep -q "$REQUIRED_PATCH"; then
echo "[PASS] Required patch $REQUIRED_PATCH is installed."
else
echo "[FAIL] Vulnerability CVE-2026-46817 likely present. Patch $REQUIRED_PATCH missing."
echo "ACTION REQUIRED: Apply July 2026 Critical Patch Update immediately."
fi
else
echo "Oracle EBS directory not found. Check environment variables."
fi
# Check for KNX Services (CVE-2023-4346)
echo "Checking for running KNX services..."
if systemctl list-units --type=service | grep -i knx; then
echo "[WARN] KNX services detected. Verify firewall rules block port 3671 from untrusted zones."
echo "ACTION REQUIRED: Update KNX Gateway Firmware to patch CVE-2023-4346."
else
echo "[INFO] No systemd KNX services found."
fi
Remediation
CVE-2026-46817 (Oracle E-Business Suite)
- Patch Immediately: Apply the security patches referenced in the Oracle Critical Patch Update (CPU) for July 2026. Oracle Security Alert advisory number should be verified in the Oracle Support Portal.
- Review Roles: Audit administrative accounts within the EBS
FND_USERtable. Ensure no unauthorized privilege elevations have occurred prior to patching. - Network Segmentation: Restrict access to
/OA_HTML/and/OA_cgi/directories strictly to management subnets. Do not expose EBS directly to the public internet.
CVE-2023-4346 (KNX Protocol)
- Firmware Update: Contact your KNX gateway/device vendor (e.g., Siemens, Schneider, ABB) for a firmware update that addresses the "Connection Authorization Option 1" logic flaw.
- Network Segmentation: Ensure KNXnet/IP (UDP/TCP 3671) traffic is isolated on a dedicated VLAN. It should never be routable from the general corporate IT network or the internet without a strict application-layer firewall (ALG) or a dedicated DMZ architecture.
- Disable Option 1: If the vendor allows configuration changes, disable "Connection Authorization Option 1
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.