Oracle

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

The CIFSwitch vulnerability in the Linux kernel allows an unprivileged user to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges by loading a malicious NSS module.

CVE-2026-46837 is a SQL injection vulnerability in Oracle Flow Manufacturing within Oracle E-Business Suite versions 12.2.9 through 12.2.15, allowing a low-privileged attacker with network access to potentially take over the application.

CVE-2026-46835 is an easily exploitable vulnerability in Oracle Database Server's Net Service component, affecting versions 23.4.0 to 23.26.2, allowing an unauthenticated attacker with network access via TLS to cause a complete denial-of-service (DoS).

CVE-2026-46834 is a vulnerability in the Net Service component of Oracle Database Server versions 23.4.0 to 23.26.2 that allows an unauthenticated attacker with network access via TLS to cause a denial-of-service (DoS) condition.

An unauthenticated attacker with network access via HTTPS can exploit CVE-2026-46829 in Oracle REST Data Services versions 24.2.0 through 26.1.0, leading to a denial of service.

CVE-2026-46828 is an easily exploitable vulnerability in Oracle Payroll versions 12.2.3-12.2.15, allowing a low-privileged attacker with network access via HTTP to perform unauthorized creation, deletion, or modification of critical payroll data, as well as gain unauthorized access to sensitive information.

CVE-2026-46827 allows a low-privileged attacker with network access via HTTP to compromise Oracle Payroll versions 12.2.3 through 12.2.15, leading to a potential system takeover.

CVE-2026-46826 is a vulnerability in Oracle Payroll within Oracle E-Business Suite, where a low-privileged attacker can achieve a system takeover via network access over HTTPS.

CVE-2026-46823 is an easily exploitable vulnerability in Oracle Public Sector Financials (International) versions 12.2.6-12.2.15, allowing a low privileged attacker with network access via HTTPS to gain unauthorized access to critical data or complete access to all accessible data, potentially impacting additional products.

CVE-2026-46821 is an easily exploitable vulnerability in Oracle Financials Common Modules of Oracle E-Business Suite versions 12.2.3-12.2.15, allowing a low-privileged attacker with network access via HTTP to gain unauthorized access to critical data.

CVE-2026-46820 is a vulnerability in Oracle Financials Common Modules within Oracle E-Business Suite versions 12.2.3-12.2.15, allowing a low-privileged attacker with network access via HTTP to gain unauthorized access to critical data and modify some data, resulting in a confidentiality and integrity impact.

CVE-2026-46818 is a vulnerability in Oracle Payments within Oracle E-Business Suite (versions 12.2.3-12.2.15) that allows an unauthenticated attacker with network access via HTTPS to compromise the system, leading to unauthorized data access and modification.

CVE-2026-35277 is a vulnerability in Oracle REST Data Services (Core) versions 24.2.0 to 26.1.0 that allows a low-privileged attacker with network access via HTTPS to compromise the system, leading to unauthorized data access, creation, deletion, or modification.

A vulnerability exists in Oracle REST Data Services versions 24.2.0 to 26.1.0, where a low-privileged attacker with network access via HTTPS can, with human interaction, gain unauthorized data access, modification, and cause a partial denial of service.

CVE-2026-46840 is a critical vulnerability in Oracle REST Data Services (ORDS) that allows an unauthenticated attacker with network access to achieve complete takeover of the service, potentially impacting additional products due to scope change.

CVE-2026-46839 is an easily exploitable vulnerability in Oracle REST Data Services versions 24.2.0 through 26.1.0, allowing a low-privileged attacker with network access via HTTPS to compromise the service, potentially impacting other products and leading to a complete takeover.

CVE-2026-46833 allows an unauthenticated attacker with network access via TLS to compromise the Net Service component of Oracle Database Server versions 23.4.0 through 23.26.2, potentially leading to takeover of the Net Service and significant impact on other products.

CVE-2026-46824 allows a low-privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue versions 12.2.3-12.2.15, potentially leading to takeover and impact on additional products.

CVE-2026-46822 is a vulnerability in Oracle iAssets within Oracle E-Business Suite, affecting versions 12.2.3 through 12.2.15, allowing a low-privileged attacker with network access via HTTP to compromise the application, potentially impacting other products within the environment.

CVE-2026-46819 is a critical vulnerability in Oracle Internet Procurement Connector versions 12.2.3-12.2.15 that allows an unauthenticated attacker with network access via HTTP to compromise the system, leading to unauthorized data access, modification, or deletion.

CVE-2026-46817 is a critical vulnerability in Oracle Payments component of Oracle E-Business Suite versions 12.2.3 through 12.2.15, allowing an unauthenticated attacker with network access via HTTP to compromise the application and potentially achieve complete takeover.

CVE-2026-46775 is a critical vulnerability in Oracle REST Data Services (Core component) versions 24.2.0-26.1.0, allowing a low-privileged attacker with network access via HTTPS to achieve complete takeover of the service and potentially impact other products.

CVE-2026-34311 allows an unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services, potentially resulting in complete takeover of the application in versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28.

Cyber extortion is increasingly relying on data theft rather than ransomware encryption, with threat actors like Bling Libra and TGR-CRI-1135 leveraging techniques like vishing and software supply chain compromise, fueled by regulatory compliance pressures and the impending weaponization of frontier AI models.

A remote, anonymous, or authenticated attacker can exploit multiple vulnerabilities in Oracle MySQL to compromise confidentiality, integrity, and availability.

A public exploit, rwsploit, has been released targeting CVE-2012-3152 and CVE-2012-3153 in Oracle Reports Server versions below 11g, enabling unauthenticated file read, SSRF, and JSP shell upload.

Hackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.

A SQL injection vulnerability exists in the Oracle path of `FilterEngine.create_sqla_query` in Rucio, allowing any authenticated user to execute arbitrary SQL against the backend database via the DID search endpoint, potentially leading to full database compromise and data exfiltration.

A remote attacker, either anonymous or authenticated, can exploit multiple vulnerabilities in Oracle Java SE to compromise confidentiality, integrity, and availability.

An unauthenticated or authenticated remote attacker can exploit multiple vulnerabilities in Oracle Fusion Middleware to compromise confidentiality, integrity, and availability.

CVE-2026-35228 is a critical vulnerability in Oracle MCP Server Helper Tool versions 1.0.1 through 1.0.156, allowing unauthenticated remote attackers to execute arbitrary SQL commands.

This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.