Attackers actively exploit critical Oracle E-Business Suite vulnerability

Threat intelligence firm Defused reports that malicious actors have started leveraging a severe security issue tracked as CVE-2026-46817 in Oracle's E-Business Suite financial software.

Unauthenticated takeover via File Transmission component. The bug sits inside the File Transmission element of the Oracle Payments module within EBS. Carrying a CVSS score of 9.8, it lets unauthenticated attackers who can reach the target over HTTP seize control of susceptible installations using attacks of low complexity.

Oracle fixed the issue through its May 2026 Critical Security Patch Update and called on users to install the fixes right away.

Oracle's prior warning on unpatched systems. In that advisory the company said it "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches." It added that "in some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches."

The vendor therefore "strongly recommends that customers remain on actively-supported versions and apply security patches without delay."

Defused confirms active exploitation. Although Oracle has not yet listed CVE-2026-46817 as exploited in the wild, Defused disclosed Monday that adversaries are now using it in the wild. The firm detected the first exploitation attempts over the weekend against its Oracle E-Business honeypots. "This vulnerability has no known previous exploitation and no public POC code exists," Defused stated.

Shadowserver tracks exposed instances. The internet security watchdog group Shadowserver is currently monitoring more than 450 publicly reachable Oracle EBS deployments, nearly 200 of them situated in the United States and Europe.

No data is available on how many of those exposed systems remain vulnerable to the current campaign.

Pattern of prior Oracle EBS and related exploits. The Clop extortion group previously weaponized a separate Oracle EBS vulnerability (CVE-2025-61882) in zero-day operations since early August 2025. Those incidents hit multiple U.S. universities (including Harvard University, the University of Pennsylvania, Dartmouth College, and the University of Phoenix), the Washington Post, Logitech, and GlobalLogic.

Earlier this month the U.S. Cybersecurity and Infrastructure Security Agency highlighted a high-severity Oracle WebLogic Server bug (CVE-2024-21182) patched two years earlier that is now actively exploited. Weeks afterward Oracle addressed a critical PeopleSoft Suite zero-day (CVE-2026-35273) that had been leveraged in ShinyHunter data-theft campaigns permitting unauthenticated remote code execution.

Across recent years CISA has designated 44 vulnerabilities in assorted Oracle products as exploited in the wild, 13 of which also featured in ransomware incidents.