TL;DR
- what: Oracle E-Business Suite flaw CVE-2026-46817 (CVSS 9.8) in Oracle Payments is being actively exploited in the wild, confirmed by honeypot hits over the weekend.
- impact: An unauthenticated attacker with HTTP network access can fully take over the Oracle Payments instance, exposing payment processing and connected enterprise data.
- fix: Apply Oracle's Critical Security Patch Update from last month, which patches CVE-2026-46817 across EBS 12.2.3 through 12.2.15.
- who: Any organization running internet-facing Oracle E-Business Suite 12.2.3-12.2.15, especially those exposing Oracle Payments over HTTP.
A critical Oracle E-Business Suite vulnerability, CVE-2026-46817 (CVSS 9.8), is under active exploitation in the wild. Defused Cyber reported that over the weekend it observed a threat actor exploiting the flaw against its Oracle E-Business honeypots. The attacks are live now, and the patch window is effectively closed for anyone who has not already applied Oracle's last Critical Security Patch Update.
The flaw is an improper privilege management and authentication weakness in Oracle Payments. Per the NVD, it is an "easily exploitable vulnerability" that "allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments," with successful attacks resulting in "the takeover of Oracle Payments." No credentials, no user interaction, just HTTP access to a vulnerable instance.
What is affected
CVE-2026-46817 impacts Oracle E-Business Suite versions 12.2.3 through 12.2.15. Oracle shipped patches as part of its Critical Security Patch Update last month. That means defenders had roughly a month of lead time before exploitation went public, and that lead time is now spent.
- Affected product: Oracle E-Business Suite, Oracle Payments component
- Affected versions: 12.2.3 through 12.2.15
- Attack vector: network, over HTTP, unauthenticated
- Outcome: full takeover of Oracle Payments
⚠️ Exploitation with no public PoC — Defused Cyber notes this vulnerability "has no known previous exploitation and no public PoC code exists." Attackers are weaponizing it independently. Do not wait for a published exploit to justify patching, the attackers already have working capability and your honeypots are not the only ones being hit.
This is a pattern, not a one-off
Oracle's enterprise stack has been a repeated target. Late last year, another CVSS 9.8 EBS flaw, CVE-2025-61882, was weaponized by threat actors linked to the Cl0p ransomware operation, with early attacks tracing back to August 2025. Earlier this month, Oracle patched a critical missing-authentication zero-day in PeopleSoft, CVE-2026-35273 (CVSS 9.8), exploited by ShinyHunters (SHADOW-AETHER-015) in data theft and extortion attacks.
Nissan has acknowledged it was a victim of the PeopleSoft attack, with the breach potentially exposing payroll records, bank details, Social Security numbers, and other personal and financial data of employees across the U.S., Canada, Mexico, and Brazil. The blast radius of an Oracle enterprise compromise is real and measured in employee identity data.
The stealth problem
The PeopleSoft case is a warning about detection blind spots that apply across Oracle's Java-based application servers. Trend Micro said the notable property of CVE-2026-35273 "is not its impact, but its near-total lack of observability." The final code-execution step ran through Java's XMLDecoder inside the application server's own JVM, fired on a restart rather than on the inbound request, and needed no child process and no outbound beacon. As Trend Micro put it, "a defender watching the usual places sees a quiet system."
watchTowr's Jake Knott noted that CVE-2026-35273 was not a trivial single-request bug but a chain combining multiple vulnerabilities to plant a malicious file that waits for a server restart, "suggestive of a threat actor with genuine knowledge of and familiarity with the underlying codebase." While details on how CVE-2026-46817 is being exploited are not yet public, the lesson holds: assume the new EBS attacks may also be designed to evade routine monitoring.
What to do now
Assume compromise — Knott urges organizations to assume compromise and activate incident response to determine whether access was obtained before patches were applied, what was accessed, and whether persistence was established. Patching stops new intrusions, it does not evict an attacker who got in during the exposure window.
- Apply the Oracle CPU patch for CVE-2026-46817 immediately across all EBS 12.2.3-12.2.15 instances
- Inventory and restrict internet-facing exposure of Oracle Payments and EBS HTTP endpoints
- Hunt for exploitation that predates your patch: review HTTP access logs, unexpected files, and JVM-level activity rather than only child processes or outbound beacons
- Treat restart-triggered or delayed-execution payloads as a live possibility and check for planted files awaiting reboot
- Run a focused IR pass on Payments data and any connected financial workflows
Threat actors are exploiting vulnerabilities faster than ever, and the gap between patch availability and active exploitation for CVE-2026-46817 was about one month. If your Oracle E-Business Suite is exposed and unpatched, you are past the point of prevention and into the territory of detection and response.
Originally published on RedEye Threat Intelligence.
Top comments (0)