Threat intelligence firm Defused has confirmed active exploitation of CVE-2026-46817, a critical vulnerability in Oracle’s E-Business Suite (EBS) financial application. The flaw resides in the File Transmission component of EBS’s Oracle Payments product and allows unauthenticated attackers with HTTP network access to take over vulnerable systems through low-complexity operations. Oracle assigned the vulnerability a CVSS score of 9.8.

Oracle addressed the issue in its May 2026 Critical Security Patch Update and, at the time, reiterated its standing guidance for customers to apply patches promptly. The company noted it continues to receive reports of attacks targeting systems where available patches had not been applied.

Defused reported on Monday that exploitation activity was first detected over the preceding weekend, observed across Oracle EBS honeypots operated by the firm. The company noted that no public proof-of-concept code exists for this vulnerability, making the exploitation activity notable. Oracle has not yet independently confirmed in-the-wild exploitation.

Exposure and Risk

Internet security monitoring group Shadowserver is tracking more than 450 Oracle EBS instances currently exposed to the public internet. Roughly 200 of those are located in the United States and Europe. The number of instances that remain unpatched and therefore vulnerable to ongoing attacks is not known.

Broader Oracle Exploitation Trends

CVE-2026-46817 is the latest in a series of Oracle product vulnerabilities to see active exploitation. Key recent incidents include:

  • The Clop extortion group exploited a separate Oracle EBS vulnerability, CVE-2025-61882, in zero-day attacks beginning in August 2025, targeting multiple U.S. universities, media organizations, and technology firms.
  • CISA flagged CVE-2024-21182, a high-severity Oracle WebLogic Server flaw patched two years prior, as actively exploited earlier this year.
  • A critical Oracle PeopleSoft Suite zero-day, CVE-2026-35273, was exploited by the ShinyHunters group in data theft attacks, enabling unauthenticated remote code execution.

Over the past several years, CISA has added 44 Oracle product vulnerabilities to its Known Exploited Vulnerabilities catalog, 13 of which have been linked to ransomware campaigns.

Security teams running Oracle E-Business Suite are strongly advised to verify patch status against Oracle’s May 2026 Critical Security Patch Update and to audit internet-facing EBS instances for any signs of unauthorized access or unusual activity.