A critical security flaw in Oracle E-Business Suite is now being actively exploited by hackers, raising fresh concerns for organizations that have not yet applied Oracle’s latest security updates.
Quick Summary – TLDR:
- Attackers are actively exploiting CVE-2026-46817, a critical flaw in Oracle E-Business Suite’s Oracle Payments component.
- The vulnerability carries a CVSS score of 9.8 and can allow attackers to take over affected systems without authentication.
- Oracle released a patch in its May 2026 Critical Security Patch Update and urged customers to update immediately.
- Security researchers say the flaw is being exploited despite there being no public proof of concept code available.
What Happened?
Threat intelligence company Defused has observed attackers exploiting a critical vulnerability in Oracle E-Business Suite over the weekend. The flaw, tracked as CVE-2026-46817, affects the File Transmission component of Oracle Payments and can be exploited remotely over HTTP without requiring authentication.
The vulnerability impacts Oracle E-Business Suite versions 12.2.3 through 12.2.15 and could allow attackers to completely compromise vulnerable Oracle Payments instances.
🚨 CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited
— Defused (@DefusedCyber) June 29, 2026
Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots
This vulnerability has no known previous exploitation and no public POC code… pic.twitter.com/qL4dgPvoMP
Attackers Move Quickly After Oracle Patch Release
Oracle initially disclosed the vulnerability as part of its May 2026 Critical Security Patch Update, which included 35 new security patches across multiple Oracle products. Among the 12 security fixes released for Oracle E-Business Suite, CVE-2026-46817 was one of the most severe vulnerabilities.
According to Oracle, successful exploitation of the flaw could have severe consequences across all three pillars of cybersecurity, including confidentiality, integrity, and availability. The issue received a CVSS severity score of 9.8 out of 10, placing it among the most dangerous software vulnerabilities.
The company warned customers at the time that attackers often succeed because organizations delay applying available patches.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” the company said in its advisory.
Oracle also strongly recommended that customers remain on supported versions and deploy security patches without delay.
Security Researchers Spot Active Exploitation
Despite Oracle not officially flagging the vulnerability as exploited in the wild, researchers at Defused say real world attacks are now underway.
The company said it observed an unknown threat actor exploiting the vulnerability against its Oracle E-Business honeypots over the weekend. Researchers noted that the attacks are particularly concerning because there is no publicly available proof of concept code for the vulnerability, suggesting that threat actors independently developed their own exploit.
The National Vulnerability Database describes the flaw as an easily exploitable issue that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments and potentially take over the system.
The vulnerability has also been associated with weaknesses including improper privilege management, improper authentication, and missing authentication for critical functions.
Hundreds of Oracle Servers Remain Exposed
Internet monitoring group Shadowserver is tracking more than 450 Oracle E-Business Suite instances exposed online, including nearly 200 systems in the United States and Europe.
It remains unclear how many of these internet facing servers have already installed Oracle’s security patches, leaving open the possibility that a significant number of organizations could still be vulnerable to ongoing attacks.
Oracle Products Have Become Increasingly Popular Targets
The latest exploitation campaign follows a series of attacks targeting Oracle software over the past year.
In 2025, the Clop extortion gang exploited another Oracle E-Business vulnerability to target multiple organizations, including several major universities and private companies. More recently, the US Cybersecurity and Infrastructure Security Agency warned about active exploitation of an older Oracle WebLogic Server vulnerability, while Oracle also moved to address a critical PeopleSoft zero day vulnerability linked to data theft campaigns.
Over the past several years, CISA has identified 44 Oracle vulnerabilities that have been exploited in the wild, with 13 of those flaws being used in ransomware attacks.
SQ Magazine Takeaway
I think this incident is another reminder that patching delays continue to be one of the biggest security risks for enterprises. The fact that attackers started exploiting this vulnerability so quickly, even without public exploit code, shows how aggressively cybercriminals monitor vendor advisories. Organizations running Oracle E-Business Suite should treat this flaw as an emergency and verify that their systems have been updated immediately.
