CISA Warns of Actively Exploited Oracle E-Business Suite Flaw
CISA has ordered federal agencies to address a critical Oracle E-Business Suite vulnerability that attackers are actively exploiting. The flaw, tracked as CVE-2026-46817, allows an unauthenticated remote attacker to take over the Oracle Payments component.
The agency added the vulnerability to its Known Exploited Vulnerabilities catalog on July 15, 2026. Its KEV update confirms that CISA has evidence of exploitation in real-world attacks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Federal Civilian Executive Branch agencies must complete the required action by July 18, giving them only three days from the catalog addition. Other organizations using affected Oracle E-Business Suite versions should also prioritize patching and compromise assessment.
What is CVE-2026-46817?
CVE-2026-46817 is an improper privilege management vulnerability in the File Transmission component of Oracle Payments. Oracle Payments forms part of Oracle E-Business Suite and supports payment-processing workflows.
The vulnerability affects Oracle E-Business Suite releases 12.2.3 through 12.2.15. Oracle disclosed and patched the flaw in its May 2026 Critical Security Patch Update.
An attacker needs HTTP network access to the affected component but does not require authentication, privileges or user interaction. Oracle describes the vulnerability as easily exploitable.
| Vulnerability detail | Information |
|---|---|
| CVE | CVE-2026-46817 |
| Affected product | Oracle Payments in Oracle E-Business Suite |
| Component | File Transmission |
| Affected releases | 12.2.3 through 12.2.15 |
| Attack protocol | HTTP |
| Authentication required | No |
| User interaction required | No |
| CVSS score | 9.8, Critical |
| Maximum documented impact | Takeover of Oracle Payments |
Why the Oracle vulnerability is critical
The NVD entry for CVE-2026-46817 lists a CVSS 3.1 score of 9.8. The score reflects network-based exploitation with low complexity and no authentication requirement.
Successful exploitation can have a high impact on confidentiality, integrity and availability. The affected service handles payment-related functions, which may increase the business consequences of unauthorized access.
| CVSS metric | Value | Meaning |
|---|---|---|
| Attack vector | Network | The attacker can target the service remotely |
| Attack complexity | Low | Exploitation does not require complex conditions |
| Privileges required | None | The attacker does not need an Oracle account |
| User interaction | None | No employee action is needed for exploitation |
| Confidentiality impact | High | The attacker could access protected information |
| Integrity impact | High | The attacker could make unauthorized changes |
| Availability impact | High | The attack could disrupt the affected service |
The official impact statement covers the Oracle Payments component rather than automatically establishing a takeover of the entire Oracle E-Business Suite environment. However, a compromised payment service could provide access to sensitive workflows and data.
CISA confirms active exploitation
Inclusion in the KEV catalog means CISA has sufficient evidence that attackers have exploited CVE-2026-46817 outside controlled testing. The catalog does not require CISA to publish technical details about the attacks.
Neither CISA nor Oracle has publicly described the exploitation chain, affected organizations or attacker identities in the cited advisories. The official material also does not state how long exploitation has been occurring.
CISA has not connected CVE-2026-46817 to a known ransomware campaign. An unknown ransomware status does not reduce the urgency because attackers are already exploiting the vulnerability.
Federal agencies face a July 18 deadline
The CISA active-exploitation warning gives federal civilian agencies until July 18, 2026, to complete the required remediation.
CISA normally uses the KEV catalog to establish mandatory deadlines under Binding Operational Directive requirements. This entry also references BOD 26-04, titled โPrioritizing Security Updates Based on Risk.โ
The required action instructs agencies to apply mitigations according to Oracleโs guidance, follow CISAโs forensic triage requirements and evaluate each assetโs internet exposure. Agencies must follow the applicable BOD 26-04 guidance for cloud services or discontinue the product if effective mitigations are unavailable.
| Timeline | Event |
|---|---|
| May 28, 2026 | Oracle publishes its May Critical Security Patch Update |
| July 15, 2026 | CISA adds CVE-2026-46817 to the KEV catalog |
| July 18, 2026 | Federal remediation deadline |
Which Oracle E-Business Suite systems are affected?
The affected range covers Oracle E-Business Suite versions 12.2.3 through 12.2.15 when the Oracle Payments File Transmission component is present.
Organizations should inventory their Oracle E-Business Suite environments and determine whether Oracle Payments is installed and enabled. Administrators should also identify every system that exposes the relevant HTTP service.
Internet-facing systems require the fastest response, but internal services should not be treated as safe by default. An attacker who has already entered a corporate network may be able to reach an internally accessible Oracle Payments deployment.
- Oracle E-Business Suite release number
- Presence of the Oracle Payments component
- Use of the File Transmission functionality
- Installed May 2026 security patches
- Internet-facing HTTP endpoints
- Internal network access paths
- Cloud-hosted and third-party-managed instances
How to patch CVE-2026-46817
Administrators should obtain the appropriate Oracle E-Business Suite patches and installation instructions through Oracle support. Patch selection may depend on the exact release and components installed in the environment.
The Oracle May 2026 security advisory directs E-Business Suite customers to the Oracle E-Business Suite Release 12 Critical Security Patch Update Knowledge Document for patch information.
Oracle also recommends applying the May security updates for the Oracle Database and Oracle Fusion Middleware components used by E-Business Suite. Those products have separate vulnerability matrices and patch requirements.
- Identify every Oracle E-Business Suite deployment.
- Confirm whether its release falls between 12.2.3 and 12.2.15.
- Check whether Oracle Payments and File Transmission are enabled.
- Review the environment for direct and indirect HTTP exposure.
- Obtain the applicable patches from Oracle support.
- Perform CISA-required forensic triage before remediation.
- Apply the patches and complete Oracleโs post-installation steps.
- Verify the installed patch level.
- Repeat compromise assessment after remediation.
Do not treat patching as the end of the investigation
Because CISA has confirmed active exploitation, organizations should determine whether attackers reached affected systems before the patch was installed. Updating the software closes the known vulnerability but does not remove an attacker who already established access.
The government vulnerability record specifically includes forensic triage in the required action. Federal agencies must complete that assessment as part of their response.
Security teams should preserve relevant logs before making changes. They should review web-server, reverse-proxy, application and authentication records covering the period before remediation.
- Unexpected HTTP requests to Oracle Payments endpoints
- Requests from unfamiliar IP addresses or user agents
- Unexplained changes to payment or transmission settings
- New or modified accounts and permissions
- Unexpected administrative actions
- Unusual file changes or scheduled tasks
- Outbound connections from the Oracle server
- Activity that occurred without a corresponding administrator ticket
Reduce exposure while preparing the patch
If immediate patching is impossible, organizations should restrict network access to the affected HTTP service according to Oracleโs guidance. Only trusted administrative systems and necessary applications should reach the Oracle Payments interface.
Removing public exposure can reduce risk but does not replace the security update. Organizations should also consider whether compromised internal accounts or systems can still reach the vulnerable endpoint.
CISAโs required action states that agencies should discontinue the affected product if mitigations are unavailable. Non-federal organizations should make a similar risk-based decision when they cannot patch or adequately isolate the service.
Why organizations should act immediately
CVE-2026-46817 combines a critical 9.8 rating with confirmed active exploitation. Attackers do not need credentials, existing privileges or interaction from a victim.
The three-day federal deadline reflects the risk posed by exposed Oracle Payments systems. Enterprises should not wait for public exploit code or detailed attack reports before applying Oracleโs fixes.
Organizations that find evidence of exploitation should activate their incident response process, preserve forensic evidence and investigate connected systems. The response should cover both the vulnerable Oracle service and any systems or credentials accessible from it.
FAQ
CVE-2026-46817 is a critical vulnerability in the File Transmission component of Oracle Payments. It allows an unauthenticated attacker with HTTP network access to take over Oracle Payments.
The vulnerability affects supported Oracle E-Business Suite versions 12.2.3 through 12.2.15 when the vulnerable Oracle Payments component is present.
Yes. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation.
Federal Civilian Executive Branch agencies must complete the required remediation by July 18, 2026. CISA also urges other organizations to address KEV vulnerabilities quickly.
Organizations should patch immediately, but they should also perform forensic triage because attackers may have exploited the vulnerability before remediation. Patching does not remove access that an attacker already established.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages