Oracle E-Business Suite Vuln. Gives Hackers "Untraceable Control" of Money Transfers

Security firm Onapsis says it has identified a series of critical vulnerabilities in Oracle’s E-Business Suite (EBS) that could allow attackers to gain “untraceable control” of electronic fund transfers and print bank checks without detection.

The attack chain exploits two key vulnerabilities, dubbed Oracle PAYDAY by the Boston-based cybersecurity firm. While Oracle has now patched the flaw, Onapsis says it estimates that half of Oracle’s ERP software customers have not deployed the patches: meaning over 10,000 companies are still at risk.

Many of these are only running the software on internal intranets, but Onapsis estimates that at least 1,500 EBS systems are connected directly to the internet. Without patching, the flaw can be exploited remotely by an unauthenticated attacker, who would gain complete access to the widely used ERP system.

The vulnerabilities target a API in the E-Business Suite (EBS) product — the Thin Client Framework (TCF) API provided by Oracle, so developers can build server-based applications — and score a critical 9.9 out of 10 on the CVSS scale.

With Oracle EBS including a Payments module that allows
companies to actually transfer money from bank accounts or generate payment checks, malicious takeover could be hugely damaging for victims.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing