Oracle E-Business CVE-2026-46817 Under Active Attack—CVSS 9.8
Critical authentication bypass in Oracle Payments (CVE-2026-46817) is being actively exploited. Over 900 vulnerable instances exposed online, with attackers achieving system takeover via unauthenticated HTTP requests.
Attackers are actively exploiting a critical vulnerability in Oracle E-Business Suite that lets unauthenticated remote attackers fully compromise vulnerable systems. CVE-2026-46817 carries a CVSS score of 9.8 and affects the Oracle Payments module across versions 12.2.3 through 12.2.15.
The Vulnerability
The flaw exists in the File Transmission component of Oracle Payments. According to NVD documentation, it involves improper privilege management and authentication controls that allow an unauthenticated attacker with network access via HTTP to take over vulnerable systems through low-complexity attacks.
No user interaction required. No authentication needed. Just a crafted HTTP request to a vulnerable instance.
Oracle addressed the vulnerability in its May 2026 Critical Patch Update, but exploitation began before many organizations completed patching.
Active Exploitation Confirmed
Threat intelligence firm Defused Cyber detected active exploitation on honeypots over the weekend of late June. Their researchers noted this was the first observed exploitation despite no public proof-of-concept code existing at the time.
"Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots," Defused Cyber reported. "This vulnerability has no known previous exploitation and no public PoC code exists."
The attacks appear opportunistic rather than targeted, suggesting threat actors are scanning for and exploiting any accessible vulnerable instance.
Exposure Scale
Shadowserver scans found approximately 950 potentially vulnerable Oracle E-Business Suite instances exposed to the internet, with more than half of those deployments located in the United States.
Oracle EBS is widely deployed in large enterprises for financial operations, human resources, and supply chain management. The Payments module specifically handles sensitive financial transactions, making compromise particularly damaging.
Historical Context
Oracle EBS vulnerabilities have been high-value targets for years. The SimpleHelp CVE-2026-48558 supply chain attack we covered showed how attackers chain RMM tool access with enterprise application exploitation, and groups like ShinyHunters and Clop have historically targeted Oracle deployments for data theft and extortion.
Similar Oracle PeopleSoft vulnerabilities were exploited in the NAIC insurance data breach and contributed to the Nissan employee data exposure earlier this year. Enterprise application platforms remain consistently targeted because they aggregate sensitive data and often receive slower patch cycles than endpoint systems.
Immediate Actions
Organizations running Oracle E-Business Suite should:
- Verify patch status - Confirm the May 2026 Critical Patch Update is applied to all EBS instances
- Audit network exposure - EBS systems should not be directly internet-accessible
- Review access logs - Check for suspicious HTTP requests to Payments module endpoints
- Segment critical systems - Isolate financial application servers from general network traffic
If you cannot patch immediately, restricting network access to the Oracle Payments module reduces exposure but does not eliminate the risk from internal threats.
Detection Guidance
Monitor for anomalous HTTP requests targeting Oracle Payments endpoints, particularly from external IP addresses or unusual internal hosts. The exploitation requires no authentication, so look for unauthenticated access attempts that would normally be rejected.
Why This Matters
Financial application compromise enables direct fraud, data theft, and business disruption. Attackers gaining system-level access to Oracle Payments can manipulate transactions, exfiltrate financial records, or pivot to connected systems.
The combination of critical severity, active exploitation, no authentication requirements, and broad enterprise deployment makes this vulnerability particularly dangerous. Organizations that haven't applied the May 2026 patch should treat this as an emergency.
Related Articles
Quest KACE SMA CVSS 10.0 Flaw Exploited in the Wild
Attackers exploiting CVE-2025-32975 authentication bypass in Quest KACE to hijack admin accounts and deploy credential harvesters. Patched in May 2025—many remain exposed.
Mar 24, 2026SmarterMail Auth Bypass Lets Attackers Reset Admin Passwords
CVE-2026-23760 enables unauthenticated admin takeover in SmarterMail. Exploitation began two days after patch release.
Jan 27, 202611-Year-Old Telnet Bug Hands Attackers Root Access
CVE-2026-24061 allows remote authentication bypass in GNU InetUtils telnetd. Exploitation activity detected within hours of disclosure.
Jan 24, 2026CISA Confirms Ubiquiti UniFi OS Flaws Now Exploited in Attacks
CISA adds three maximum-severity Ubiquiti UniFi OS vulnerabilities to KEV catalog after confirming active exploitation. Federal agencies have until June 26 to patch under BOD 26-04.
Jun 24, 2026