Security & privacy

Hackers exploit critical Oracle E-Business Suite flaw in active attacks

SiliconFeed Editorial
oraclecybersecurityvulnerabilityransomwarepatch management

Sections and tags — in the Topics menu Search the feed

At a glance:

  • Attackers are actively exploiting CVE-2026-46817, a critical vulnerability in Oracle E-Business Suite's File Transmission component.
  • Oracle patched the flaw in its May 2026 Critical Security Patch Update, but unpatched systems remain at risk.
  • Over 450 Oracle EBS instances are exposed online, primarily in the US and Europe, with no data on how many have been secured.

Active exploitation of CVE-2026-46817

Threat intelligence firm Defused reported on Monday that malicious actors are actively exploiting CVE-2026-46817, a critical vulnerability in Oracle's E-Business Suite (EBS) financial application. The flaw resides in the File Transmission component of EBS's Oracle Payments product and allows unauthenticated attackers with HTTP network access to hijack vulnerable systems using low-complexity methods. Defused noted that the first exploitation attempts were detected over the weekend, with no prior public proof-of-concept code or known exploitation before this incident.

Oracle addressed the vulnerability in its May 2026 Critical Security Patch Update, urging customers to apply the fix immediately. However, the company has not officially confirmed active exploitation in the wild. This delay between patch release and observed attacks highlights ongoing challenges in securing enterprise software, particularly in environments where patch management lags behind threat actor activity.

Shadowserver exposes widespread exposure

Internet security watchdog Shadowserver identified over 450 Oracle EBS instances exposed to the public internet, with nearly 200 located in the United States and Europe. While the exact number of patched systems remains unknown, the exposure underscores the urgency for organizations to audit their Oracle EBS deployments and prioritize security updates. Unpatched instances could provide attackers with a direct pathway to sensitive financial and operational data.

Historical context of Oracle vulnerabilities

The CVE-2026-46817 incident follows a pattern of Oracle vulnerabilities being weaponized by cybercriminals. In early August 2025, the Clop extortion gang leveraged CVE-2025-61882, another Oracle EBS flaw, in zero-day attacks targeting institutions including Harvard University, the University of Pennsylvania, Dartmouth College, the University of Phoenix, the Washington Post, Logitech, and GlobalLogic. More recently, CISA flagged CVE-2024-21182, a high-severity Oracle WebLogic Server vulnerability patched in 2024, as actively exploited in attacks.

Oracle also mitigated a critical PeopleSoft Suite zero-day (CVE-2026-35273) earlier this month, which was used in ShinyHunter data theft campaigns. This vulnerability enabled unauthenticated remote code execution, further demonstrating the persistent risks in Oracle's enterprise software stack.

CISA's ongoing concerns

Over the past several years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has cataloged 44 vulnerabilities across Oracle products as exploited in the wild, with 13 of those tied to ransomware attacks. This growing list reflects the increasing targeting of Oracle's enterprise solutions by sophisticated threat actors. Organizations relying on Oracle EBS, WebLogic, or PeopleSoft must balance operational continuity with proactive patching to avoid becoming the next victim.

Security recommendations and industry response

Oracle's advisory emphasized the importance of staying on actively supported versions and applying patches promptly. Security teams face mounting pressure as breaches often go undetected—Defused noted that 54% of successful attacks are logged, but only 14% trigger alerts. Tools like breach and attack simulation, as highlighted in Picus's whitepaper, can help organizations test their detection capabilities before adversaries strike.

What to watch next

The active exploitation of CVE-2026-46817 signals a renewed focus on Oracle EBS by cybercriminals. Organizations should immediately audit their exposure, apply Oracle's May 2026 patches, and monitor for indicators of compromise. With Shadowserver tracking hundreds of exposed instances, the window for remediation is narrowing as attackers refine their tactics.

Editorial SiliconFeed is an automated feed: facts are checked against sources; copy is normalized and lightly edited for readers.

FAQ

What is CVE-2026-46817 and how does it work?
CVE-2026-46817 is a critical vulnerability in Oracle E-Business Suite's File Transmission component that allows unauthenticated attackers with HTTP access to take over vulnerable systems. The flaw has a CVSS score of 9.8, indicating high severity, and requires no complex attack vectors to exploit.
Which organizations are at risk from this vulnerability?
Organizations using Oracle E-Business Suite, particularly those with unpatched systems, are at risk. Shadowserver identified over 450 exposed instances globally, with nearly 200 in the US and Europe. Specific sectors include education, media, and enterprise software providers, as seen in past Oracle EBS attacks.
How can organizations protect themselves from CVE-2026-46817?
Oracle released patches in its May 2026 Critical Security Patch Update. Organizations should apply these updates immediately, audit their EBS deployments, and monitor for exploitation attempts. Tools like breach and attack simulation can help test detection readiness against such vulnerabilities.

More in the feed

Prepared by the editorial stack from public data and external sources.

Original article