A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component of Oracle Payments, a product within Oracle E-Business Suite.
Oracle rates the vulnerability as critical with a CVSS v3.1 score of 9.8, as it can be exploited remotely over HTTP without authentication, user interaction, or elevated privileges. Successful exploitation can result in takeover of Oracle Payments.
Vulnerability Overview
CVE-2026-46817 is exploitable by an unauthenticated attacker with HTTP network access and can lead to compromise and takeover of Oracle Payments.
The CVSS vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This means the vulnerability is network-exploitable, low complexity, requires no privileges, requires no user interaction, and can have high impact on confidentiality, integrity, and availability. NVD also lists the associated weakness categories as Improper Privilege Management, Improper Authentication, and Missing Authentication for Critical Function.
Affected Versions
- Oracle E-Business Suite v12.2.3 through 12.2.15
Threat Activity
Security researchers captured exploitation of CVE-2026-46817 on 27 June 2026. The observed activity involved unauthenticated file-read attempts against the Oracle Payments component.
NHS England’s National CSOC also published an alert warning that exploitation has been reported in the wild and assessed further exploitation as highly likely.
Mitigation and Remediation
Oracle released a fix for CVE-2026-46817 in its May 2026 Critical Security Patch Update. Oracle has advised customers to apply Critical Security Patch Updates without delay and to remain on actively supported product versions.
Recommended actions:
- Apply Oracle’s May 2026 Critical Security Patch Update or later immediately. Prioritize Oracle E-Business Suite environments running versions 12.2.3 through 12.2.15.
- Confirm patch status across all EBS environments. Include production, staging, disaster recovery, legacy, and externally accessible instances.
- Restrict external access to Oracle EBS. Where possible, remove direct internet exposure and require access through VPN, private network paths, or tightly controlled allowlists.
- Review EBS exposure. Identify externally reachable Oracle EBS portals, reverse proxies, load balancers, and HTTP services that may expose vulnerable functionality.
- Hunt for exploitation attempts. Review logs for suspicious unauthenticated HTTP requests, file access attempts, and unusual Oracle Payments activity.
Stay Safe. Stay Secure.
OP Innovate Research Team
