A critical security vulnerability, identified as CVE-2026-46817, within Oracle E-Business Suite's Payments product is now under active exploitation by threat actors. This flaw, rated with a CVSS score of 9.8, allows unauthenticated attackers to compromise affected systems, posing a significant risk to organizations utilizing the enterprise software. Oracle released patches for this vulnerability in its May 2026 Critical Security Patch Update.
Urgent Exploitation Detected
Threat actors have initiated active exploitation of a critical security vulnerability in Oracle E-Business Suite, specifically targeting the Oracle Payments component. Security researchers at Defused Cyber reported observing these attacks on their honeypot infrastructure over the weekend of June 27-28, 2026, marking the first confirmed in-the-wild exploitation of this flaw.
Vulnerability Details and Patch Status
The vulnerability, tracked as CVE-2026-46817, carries a Common Vulnerability Scoring System (CVSS) v3.1 base score of 9.8, indicating its severe impact and ease of exploitation. It stems from improper privilege management and authentication within the File Transmission component of Oracle Payments, allowing unauthenticated attackers with network access via HTTP to gain full control over susceptible Oracle Payments instances. Affected versions of Oracle E-Business Suite range from 12.2.3 through 12.2.15. Oracle released security updates addressing this flaw as part of its May 2026 Critical Security Patch Update, which was published on May 28, 2026.
Attack Insights and Broader Context
Defused Cyber's observations revealed that attackers are targeting the /OA_HTML/ibytransmit endpoint, which is associated with Oracle iPayment file transmission. The attacks involve crafted XML DeliveryRequest payloads, utilizing a CODEX_PULL transmission scheme with the FULL_FILE_PATH parameter set to sensitive system files like /etc/passwd, suggesting attempts at local file reading or path traversal. Notably, there is no public Proof-of-Concept (PoC) code available for CVE-2026-46817, indicating that the threat actors behind these attacks likely developed their own private exploits.
"CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists." — Defused Cyber, June 29, 2026
This incident follows a pattern of critical vulnerabilities in Oracle's enterprise software being actively exploited. Last year, another severe flaw, CVE-2025-61882 (CVSS 9.8), in Oracle E-Business Suite's BI Publisher Integration component, was weaponized by threat actors linked to the Cl0p ransomware operation, with attacks dating back to August 2025. More recently, in June 2026, Oracle addressed a critical missing authentication zero-day vulnerability in PeopleSoft Suite, CVE-2026-35273 (CVSS 9.8), which the ShinyHunters group actively exploited for data theft and extortion.
- CVE-2026-46817 affects Oracle E-Business Suite versions 12.2.3 through 12.2.15.
- The vulnerability allows unauthenticated remote takeover of Oracle Payments.
- Shadowserver reports over 450 Oracle E-Business Suite instances are exposed online.
What This Means
The immediate exploitation of CVE-2026-46817 underscores the critical need for organizations to prioritize and apply security patches promptly. The absence of public exploit code suggests a sophisticated threat actor, potentially with significant resources, is behind these attacks. For professionals, developers, and IT security teams, this highlights that even recently patched vulnerabilities can quickly become targets for active campaigns. Organizations running Oracle E-Business Suite, especially those with internet-facing instances, must verify that the May 2026 Critical Security Patch Update has been successfully applied to mitigate this severe risk. The continuous targeting of Oracle's enterprise products by groups like Cl0p and ShinyHunters demonstrates a persistent threat landscape that requires proactive defense strategies.
Key Points
- A critical Oracle E-Business Suite vulnerability, CVE-2026-46817, is under active exploitation.
- The flaw, with a CVSS score of 9.8, affects Oracle Payments and permits unauthenticated system takeover.
- Oracle released patches for CVE-2026-46817 in its May 2026 Critical Security Patch Update.
- Defused Cyber detected exploitation attempts on honeypots over June 27-28, 2026.
- No public Proof-of-Concept code exists, suggesting private exploit development.
The Bottom Line
Organizations running Oracle E-Business Suite must prioritize applying the May 2026 Critical Security Patch Update immediately to protect against active exploitation of CVE-2026-46817. Given the history of attacks on Oracle's enterprise platforms by sophisticated groups, a robust patch management strategy and continuous monitoring for suspicious activity are essential. Proactive defense remains the most effective way to safeguard critical business operations from these evolving threats.