Oracle E-Business Suite CVE-2026-46817 exploitation

Summary

CVE-2026-46817 is a critical Oracle E-Business Suite vulnerability in the Oracle Payments product, File Transmission component. Oracle's May 2026 Critical Patch Update and NVD describe it as an easily exploitable unauthenticated HTTP issue affecting supported E-Business Suite versions 12.2.3 through 12.2.15; successful exploitation can result in takeover of Oracle Payments.

The Hacker News reported on June 30, 2026 that Defused Cyber observed exploitation attempts against Oracle E-Business Suite honeypots over the preceding weekend. Defused Cyber said it had not seen prior exploitation or public proof-of-concept code. Public reporting has not yet named the actor, exploit mechanics, victim set, or whether the activity is opportunistic scanning or a targeted campaign.

Tags

• ops
• operations
• active exploitation
• Oracle
• Oracle E-Business Suite
• Oracle Payments
• File Transmission
• CVE-2026-46817
• authentication bypass
• improper privilege management
• unauthenticated HTTP exploitation
• enterprise application exploitation
• ERP
• payment workflow exposure
• incident response

Why this matters

• Oracle E-Business Suite is high-value ERP infrastructure. Oracle Payments takeover can expose payment workflows, supplier/customer data, financial records, and privileged application paths.
• The bug is pre-authentication and network-reachable via HTTP according to Oracle/NVD, with CVSS 3.1 score 9.8.
• Public exploitation telemetry arrived after Oracle had already shipped the May 2026 CPU, so organizations should treat unpatched internet-facing EBS systems as potentially exposed rather than merely vulnerable.
• Oracle enterprise application exploitation is already an active adversary lane: recent public reporting tied Oracle EBS CVE-2025-61882 to Cl0p-linked activity and Oracle PeopleSoft CVE-2026-35273 to ShinyHunters data-theft/extortion operations. CVE-2026-46817 should be triaged with that broader Oracle-app attack surface in mind, even though no actor has been attributed for this flaw.

Public vulnerability detail

• Affected product: Oracle E-Business Suite, Oracle Payments product, File Transmission component.
• Affected versions: supported Oracle E-Business Suite 12.2.3 through 12.2.15.
• Vulnerability class: Oracle/NVD describe improper privilege management and unauthenticated network exploitation via HTTP; NVD maps the impact to Oracle Payments takeover.
• Access requirement: unauthenticated attacker with network access via HTTP.
• Impact: takeover of Oracle Payments; confidentiality, integrity, and availability impact are all rated high in Oracle's CVSS 3.1 vector.
• Severity: CVSS 3.1 base score 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
• Patch source: Oracle May 2026 Critical Patch Update.
• Known exploitation: Defused Cyber honeypot telemetry reported publicly on June 29/30, 2026; no public PoC was known at the time of that reporting.

Defender heuristics

1. Inventory Oracle E-Business Suite deployments, especially externally reachable application tiers, DMZ reverse proxies, partner/payment integrations, and environments exposing Oracle Payments / file-transmission workflows.
2. Confirm whether the May 2026 Critical Patch Update is applied to all EBS 12.2.3-12.2.15 systems. Prioritize internet-facing or partner-facing hosts and any environment where Oracle Payments is enabled.
3. Preserve web server, reverse-proxy, WAF, EBS application, Oracle Payments, concurrent manager, database audit, OS, and EDR logs before destructive cleanup. Treat post-patch review as compromise assessment, not only vulnerability management.
4. Hunt for unusual unauthenticated HTTP traffic to EBS endpoints, Oracle Payments file-transmission routes, anomalous file upload/download behavior, unexpected payment configuration changes, new or modified application users, and suspicious concurrent requests around the exposure window.
5. Review Oracle EBS application accounts, service accounts, integration credentials, wallet/certificate material, and database access used by Oracle Payments. Rotate credentials where compromise cannot be ruled out.
6. Segment EBS application tiers from the internet where possible; require VPN/SSO/bastion paths for administrative and payment workflows; enforce WAF signatures and allow-listing only as compensating controls, not patch replacements.
7. Correlate EBS telemetry with adjacent Oracle-app intrusion patterns, including web-shell placement, delayed execution after restart, database access, ERP data export, and extortion actor reconnaissance.
8. Monitor CISA KEV, Oracle, Defused Cyber, and incident-response vendor reporting for exploitation details, IoCs, or actor attribution as public evidence matures.

Related pages

• Oracle PeopleSoft CVE-2026-35273 ShinyHunters exploitation
• Oracle WebLogic CVE-2024-21182 exploitation
• PTC Windchill / FlexPLM CVE-2026-12569 exploitation

Sources

• Oracle May 2026 Critical Patch Update, Oracle E-Business Suite risk matrix: https://www.oracle.com/security-alerts/cspumay2026verbose.html
• NVD CVE-2026-46817: https://nvd.nist.gov/vuln/detail/CVE-2026-46817
• The Hacker News, June 30, 2026: https://thehackernews.com/2026/06/oracle-e-business-suite-flaw-cve-2026.html
• Defused Cyber public exploitation note, June 29, 2026: https://x.com/DefusedCyber/status/2071555353733394618