Hackers Exploit Critical Oracle E-Business Suite Vulnerability in Active Attacks

Attackers are exploiting a critical Oracle E-Business Suite vulnerability tracked as CVE-2026-46817, according to new threat intelligence from Defused. The flaw affects Oracle Payments and can let an unauthenticated attacker compromise the component over HTTP.

Oracle patched the vulnerability in its May 2026 Critical Security Patch Update, released on May 28, 2026. Organizations that delayed patching should now treat exposed Oracle E-Business Suite systems as urgent remediation targets.

The NVD entry for CVE-2026-46817 gives the flaw a CVSS 3.1 score of 9.8 and says affected versions include Oracle E-Business Suite 12.2.3 through 12.2.15.

What CVE-2026-46817 affects

CVE-2026-46817 sits in the Oracle Payments product within Oracle E-Business Suite. Oracle identifies the affected component as File Transmission.

The vulnerability requires no authentication, has low attack complexity, and needs only network access over HTTP. Successful exploitation can affect confidentiality, integrity, and availability within Oracle Payments.

Oracle’s text version of the May risk matrix says successful attacks can result in takeover of Oracle Payments. That makes the bug especially serious for organizations that use Oracle EBS for finance, procurement, payroll, and business operations.

Item	Details
CVE	CVE-2026-46817
Product	Oracle E-Business Suite
Affected component	Oracle Payments, File Transmission
Affected versions	12.2.3 through 12.2.15
Severity	Critical, CVSS 9.8
Authentication required	No

Active exploitation began after Oracle’s patch

Defused said it observed the first exploitation of CVE-2026-46817 on Oracle E-Business Suite decoys on June 27. The Defused report describes the activity as the first in-the-wild exploitation it had recorded for this vulnerability.

The observed activity involved file-pull attempts against an Oracle EBS endpoint associated with payment file transmission. Defused said the tooling identified itself with a user-agent string tied to the exploit attempt.

BleepingComputer reported that Oracle had not yet marked the flaw as exploited in the wild at the time of its coverage. The BleepingComputer report also said there was no public proof-of-concept code known when Defused disclosed the observed attacks.

Why exposed Oracle EBS systems are at risk

Oracle E-Business Suite often handles sensitive financial and operational workflows. A weakness in Oracle Payments can therefore create serious exposure for payment data, internal transactions, supplier records, and connected business processes.

The risk increases when Oracle EBS interfaces are reachable from the public internet. Internet-facing applications give attackers a direct path to test patched vulnerabilities against organizations that have not completed updates.

Security teams should not assume that authentication controls elsewhere in the environment will protect this flaw. The NVD record says the vulnerability is remotely exploitable without user credentials.

What defenders should look for

Defenders should review web, proxy, WAF, and application logs for suspicious requests to Oracle EBS payment-related paths. They should pay special attention to unusual POST requests and requests that attempt to retrieve local files.

The Defused exploitation timeline points to file-pull behavior and a tool identifier seen during the first observed activity. Those details can help defenders create temporary hunting rules while patching continues.

Organizations should treat any hit on exposed Oracle EBS endpoints as a reason for deeper review, especially if the system remained unpatched after May 28, 2026.

• Check for unusual POST requests to Oracle EBS payment transmission paths.
• Review requests containing file-read indicators or unexpected XML payloads.
• Search for suspicious user-agent strings linked to exploit tooling.
• Investigate traffic from unfamiliar hosting providers or recently observed attacker infrastructure.
• Review access logs from June 27, 2026 onward, with priority on internet-facing systems.

Patch status and Oracle guidance

Oracle fixed CVE-2026-46817 in the May 2026 update. The Oracle advisory says the May release included 12 new security patches for Oracle E-Business Suite, with three vulnerabilities remotely exploitable without authentication.

Oracle also recommends applying the relevant database and middleware security updates used by Oracle E-Business Suite environments. That matters because EBS deployments often depend on several Oracle components, not just the application layer.

The Oracle risk matrix lists CVE-2026-46817 alongside other Oracle E-Business Suite issues affecting products such as Oracle Internet Procurement Connector, Oracle Payroll, Oracle Universal Work Queue, and Oracle Financials Common Modules.

Exposure data adds pressure to remediate

Public exposure remains a concern. Security reporting based on Shadowserver data indicates that more than 450 Oracle EBS instances were visible online, although the patch status of those systems was not clear.

The same BleepingComputer coverage said nearly 200 exposed Oracle EBS instances were tracked in the United States and Europe. Any exposed instance should be checked immediately for patch level and suspicious activity.

Organizations should also verify that test, disaster recovery, and legacy EBS systems have been patched. Attackers often find forgotten systems before internal teams do.

Priority	Action	Reason
Immediate	Apply the May 2026 Oracle EBS security patches.	The vulnerability is critical and exploitation has been observed.
Immediate	Restrict public access to Oracle EBS interfaces.	Unauthenticated network access increases exploitability.
High	Review logs for suspicious Oracle Payments file transmission requests.	Observed attacks used payment transmission paths.
High	Audit WAF, proxy, and firewall logs from June 27 onward.	This matches the first reported exploitation window.
Medium	Assess related Oracle EBS, database, and middleware patch levels.	EBS environments depend on multiple Oracle components.

How organizations should respond

The first step is to inventory every Oracle E-Business Suite deployment, including externally exposed portals, staging systems, and partner-facing environments. Administrators should confirm the exact EBS version and patch level for each instance.

If patching cannot happen immediately, organizations should reduce exposure by limiting access to trusted IP ranges, placing affected systems behind VPN or zero-trust controls, and blocking unnecessary public access to Oracle EBS paths.

Security teams should also run a compromise assessment if an affected system remained exposed after June 27. This review should include web logs, operating system logs, EBS application logs, WAF events, file access traces, and any suspicious outbound connections.

Why this Oracle EBS flaw deserves urgent attention

CVE-2026-46817 combines the factors defenders worry about most: critical severity, no authentication requirement, low attack complexity, enterprise financial software, and now observed exploitation.

The absence of a public proof-of-concept does not reduce the risk. It can mean the activity came from a private exploit, which often gives attackers a head start against organizations waiting for broader public discussion.

For Oracle E-Business Suite customers, the safest assumption is that exposed and unpatched systems may attract further testing. Patch first, reduce internet exposure, and investigate any suspicious activity against Oracle Payments endpoints.

FAQ