Critical Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited

Oracle E-Business Suite, a widely deployed enterprise resource planning platform, is facing active exploitation of a critical vulnerability tracked as CVE-2026-46817, carrying a maximum CVSS score of 9.8. The flaw is an improper privilege management and authentication weakness in Oracle Payments that allows unauthenticated attackers with network access via HTTP to fully compromise affected instances. According to the NIST National Vulnerability Database, "successful attacks of this vulnerability can result in the takeover of Oracle Payments." The bug impacts versions 12.2.3 through 12.2.15, and Oracle addressed the issue in last month's Critical Security Patch Update.

Defused Cyber reported on Monday that it observed attackers exploiting the vulnerability across its Oracle E-Business honeypots over the weekend, marking the first known in-the-wild exploitation. Notably, no public proof-of-concept code exists, and there are no published details on the threat actor's identity, tactics, or whether the campaign is opportunistic or targeted. Organizations running unpatched Oracle E-Business Suite 12.2.x deployments should treat the situation as urgent and apply the latest Oracle CPU patches immediately. IT teams can use a SSL/TLS checker to verify their HTTPS endpoints are properly secured, since the flaw is reachable via HTTP traffic.

This incident is the latest in a string of high-severity Oracle-related attacks. In late 2025, the Cl0p ransomware gang weaponized another Oracle E-Business Suite flaw, CVE-2025-61882 (CVSS 9.8), in attacks dating back to August 2025. More recently, a missing authentication zero-day in PeopleSoft, CVE-2026-35273, was exploited by ShinyHunters, compromising automaker Nissan and exposing payroll records, banking details, and Social Security numbers of employees across the U.S., Canada, Mexico, and Brazil. Jake Knott, principal security researcher at watchTowr, noted that the PeopleSoft attack chain combined multiple vulnerabilities to plant a malicious file triggered on server restart, suggesting a sophisticated threat actor with deep knowledge of the underlying codebase.

Security researchers warn that exploitation timelines are shrinking dramatically, and organizations must assume compromise and activate incident response playbooks proactively. Administrators should verify their Oracle deployments are fully patched, audit authentication configurations, and review logs for signs of unauthorized access. For individuals concerned about their credentials in the wake of enterprise breaches, a email breach checker can confirm whether personal data has been exposed, and a password checker can flag weak or compromised passwords across corporate accounts.