Critical Oracle E-Business Suite flaw CVE-2026-46817 now exploited in the wild
A critical flaw in Oracle Payments, CVE-2026-46817, is being exploited in the wild. It allows unauthenticated takeover of Oracle E-Business Suite, and a patch has been available since Oracle's May update.
Ada
Editor & AI Analyst

A critical vulnerability in Oracle E-Business Suite (EBS) is being exploited in the wild, threat intelligence company Defused reported on 29 June 2026. Tracked as CVE-2026-46817 and rated CVSS 9.8, the flaw lets an unauthenticated attacker take over the Oracle Payments module over the network. Oracle patched it in May, but exposed, unpatched systems remain at risk.
Active exploitation was first spotted on EBS honeypots over the weekend of 27–28 June 2026. No public proof-of-concept code exists and no prior exploitation was known, which suggests attackers are working from private tooling and watching vendor advisories closely. Oracle has not yet flagged the flaw as exploited in the wild, but has warned more generally that attackers often succeed because customers fail to apply patches that are already available.
What the flaw is
The vulnerability sits in the File Transmission component of Oracle Payments. The NIST National Vulnerability Database describes it as an improper privilege management and authentication weakness. An attacker with HTTP access and no credentials can compromise Oracle Payments through a low-complexity attack, taking full control of its confidentiality, integrity and availability.
Affected releases span Oracle E-Business Suite versions 12.2.3 through 12.2.15. Oracle shipped the fix in its May 2026 Critical Security Patch Update, released on 28 May 2026, with a supplementary update on 16 June.
Internet-scanning group Shadowserver has tracked more than 450 internet-facing EBS instances, with nearly 200 across the United States and Europe. How many have already been patched is unknown.
Not Oracle EBS's first rodeo
The bug is the latest in a run of critical Oracle enterprise flaws to draw active exploitation. In late 2025, CVE-2025-61882 (also CVSS 9.8) in EBS was exploited as a zero-day from early August 2025 and folded into a data-theft extortion campaign linked to the Cl0p group. That campaign hit a string of large organisations, among them Harvard University, the University of Pennsylvania, the Washington Post and Logitech.
Earlier this month, a missing-authentication zero-day in Oracle PeopleSoft (CVE-2026-35273) was abused in ShinyHunters data-theft attacks. Over the years, the US Cybersecurity and Infrastructure Security Agency (CISA) has catalogued dozens of exploited Oracle vulnerabilities, a number of them also used in ransomware. EBS runs core finance, procurement and payments for large organisations, which makes it a high-value target and helps explain how quickly exploitation followed the patch.
What it means for organisations
EBS underpins finance and payments for many large enterprises and government bodies, so the exposed and unpatched population is not trivial. Because Oracle Payments handles financial and personal data, a successful takeover can lead to data theft, and in turn to breach-notification obligations in most jurisdictions. The earlier Cl0p campaign is the template to watch: attackers steal data first, then return with extortion demands weeks later.
Patching internet-facing applications quickly is a core control, and a flaw under active exploitation should be treated as an emergency change rather than a routine update. Vulnerability-prioritisation programs often key off catalogues such as CISA's Known Exploited Vulnerabilities list, which has repeatedly included Oracle products and is a useful signal for triage.
What to do now
- Patch immediately. Apply Oracle's May 2026 Critical Security Patch Update, and the June supplementary update, to any EBS instance running 12.2.3 through 12.2.15. Treat it as an emergency change.
- Find your exposure. Identify every internet-facing EBS deployment, with particular attention to the Oracle Payments and File Transmission components.
- Hunt for compromise. A patch does not undo an earlier breach. Review logs for suspicious HTTP requests to Payments endpoints and signs of takeover, and assume internet-exposed, unpatched systems may already be hit.
- Restrict access. Where immediate patching is not possible, limit network access to EBS and place it behind access controls rather than leaving it open to the internet.
- Prepare to report. Engage your incident response process and assess breach-notification obligations if personal or financial information may be involved.
With a patch out for a month and exploitation now live, the window for unpatched EBS systems is closing fast. The task is the familiar one: know where Oracle EBS runs in your environment, confirm it is patched, and check it has not already been touched.