Oracle Payments CVE-2026-46818 - ERP Owner Routing Moves to the Front
Finding 1: Oracle Payments CVE-2026-46818 enters the ERP owner assignment queue
Confidence: Medium
Oracle Payments in Oracle E-Business Suite 12.2.3 through 12.2.15 is the lead item in today's intelligence. NVD describes CVE-2026-46818 as an unauthenticated network-access issue over HTTPS affecting the File Transmission component, with confidentiality and integrity impacts in Oracle Payments.
The practical risk is ownership delay. Finance and ERP applications are often patched by application teams, not infrastructure teams, so this item needs a named Oracle E-Business Suite owner rather than a generic vulnerability ticket.
Action: Confirm whether Oracle Payments is deployed, whether it is internet-adjacent, and whether the April 2026 Oracle CPU guidance has been applied.
Sources: NVD CVE-2026-46818 and Oracle Critical Patch Update, April 2026.
Finding 2: IBM Aspera, RabbitMQ, and go-git need owner mapping before severity escalation
Confidence: Low
IBM Aspera HSTE/HSTS 3.7.4 through 4.4.7 Fix Pack 1 is in scope for CVE-2026-8179 and CVE-2026-8180. The immediate task is to find Aspera services, especially internet-reachable asperahttpd exposure, and patch according to IBM's PSIRT notice.
RabbitMQ CVE-2026-44838 affects MQTT-enabled deployments in versions 4.2.0 through 4.2.3, with RabbitMQ 4.2.4 listed as the fixed line in the collected advisory. go-git CVE-2026-45022 belongs with developer-platform and release-engineering owners because the affected library can sit inside tooling that makes trust, policy, or signature-verification decisions.
Action: Split the queue. Send Aspera to managed file transfer owners, RabbitMQ MQTT to broker owners, and go-git to application security, platform engineering, and release tooling owners.
Sources: NVD CVE-2026-8179, NVD CVE-2026-8180, IBM PSIRT, NVD CVE-2026-44838, RabbitMQ GHSA-x866-xp2g-cx8v, NVD CVE-2026-45022, and go-git GHSA-389r-gv7p-r3rp.
Finding 3: radare2-mcp, SmarterMail, and Zabbix add local tooling, mail, and monitoring checks
Confidence: Low
radare2-mcp CVE-2026-6942 affects radare2-mcp 1.6.0 and earlier. The reason it matters is workflow placement: MCP tooling can run on analyst, developer, reversing, or CI systems where command injection may cross from a tooling issue into local compromise.
SmarterMail CVE-2026-7807 affects SmarterTools SmarterMail builds before 9560, according to NVD. Zabbix CVE-2026-23925 needs a permission review for roles with template or host write access, because monitoring platforms often have broad visibility across production environments.
Action: Inventory radare2-mcp use, confirm SmarterMail build levels, and audit Zabbix roles with template or host write permissions before patching is treated as routine maintenance.
Sources: NVD CVE-2026-6942, NVD CVE-2026-7807, and NVD CVE-2026-23925.
Update: Cisco SD-WAN, SolarWinds Serv-U, Everest Forms Pro, and ASUS Business Manager stay in exposure-review mode
Confidence: Low
Previously covered 06 June 2026; today's delta: these items remain active owner checks, but the current intelligence still keeps the claims narrow and low-confidence where vendor or government mapping is incomplete.
Cisco SD-WAN remains a no-CVE exposure-review item in the collected reporting. SolarWinds Serv-U reporting points to exploitation of a recently patched flaw to crash servers, but the right next step is patch-channel verification. Everest Forms Pro CVE-2026-3300 remains a WordPress estate check, and ASUS Business Manager Service CVE-2026-7480 / ZDI-26-328 belongs with endpoint owners.
Action: Check exposed SD-WAN management/control-plane assets, verify SolarWinds Serv-U patch status through official channels, identify Everest Forms Pro installations, and inventory ASUS Business Manager Service on managed endpoints.
Sources: The Register, BleepingComputer, The Hacker News, and Zero Day Initiative ZDI-26-328.
Update: Mandiant law-firm targeting and Chinese APT reporting need detection work, not overstatement
Confidence: Low
Previously covered 06 June 2026; today's delta: the legal-sector and Chinese APT items remain material, but both need careful wording and detection preparation before wider amplification.
Mandiant's law-firm targeting report should feed a legal-sector watch pack built from its indicators and TTPs. The Chinese APT persistence-malware report should feed identity-persistence and lateral-access telemetry reviews. The collected intelligence does not support adding new victim-scope claims beyond the cited reports.
Action: Extract indicators, TTPs, and detection hypotheses into sector-specific watch packs. Keep attribution and scope language tied to the named sources.
Sources: Google Cloud/Mandiant and BleepingComputer.
Finding 6: IronWorm/Miasma and Hola Browser keep supply-chain and endpoint hygiene in scope
Confidence: Medium
IronWorm/Miasma remains one consolidated supply-chain cluster. The current intelligence ties together npm poisoned-package reporting, a Miasma variant, and Microsoft GitHub repository reporting, but the action still depends on local evidence of package installation, cache hits, repository interaction, or token exposure.
Hola Browser for Windows is a separate endpoint supply-chain hygiene item. BleepingComputer reports a compromised distribution or update path delivering a cryptominer, so teams should inventory endpoints, remove unapproved installs, and validate any exceptions by source and hash.
Action: Scan lockfiles, npm caches, developer endpoints, and CI logs for IronWorm/Miasma indicators as package lists are validated. Rotate tokens only where installation or exposure evidence exists, and remove unapproved Hola Browser installs.
Sources: BleepingComputer and The Hacker News.
Why This Matters
Today's intelligence is about getting the right ticket to the right owner. ERP, managed file transfer, brokers, developer libraries, MCP tooling, mail, monitoring, endpoint software, and npm/GitHub supply-chain exposure do not share the same remediation path.
The safest posture is to avoid severity inflation. Treat Oracle Payments as the lead because it has a clear enterprise-owner gap. Treat the lower-confidence items as fast exposure checks, and turn the supply-chain items into evidence-led searches before declaring incident scope.
- Recommended Actions
- P1: Route Oracle Payments CVE-2026-46818 to Oracle E-Business Suite owners with April 2026 CPU context.
- P1: Assign IBM Aspera, RabbitMQ MQTT, and go-git checks to managed file transfer, broker, and developer-platform owners.
- P1: Inventory radare2-mcp, SmarterMail, and Zabbix exposure or permission scope, then patch affected versions.
- P1: Continue IronWorm/Miasma searches across lockfiles, caches, developer endpoints, CI logs, and repository interactions.
- P2: Keep Cisco SD-WAN, SolarWinds Serv-U, Everest Forms Pro, and ASUS Business Manager Service in exposure-review mode until official mapping or fixed-version evidence is confirmed.
- P2: Build legal-sector and Chinese APT detection watch packs from the cited reports without expanding victim-scope claims.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 07 June 2026.