Organizations using Oracle E-Business Suite (EBS) are facing an immediate threat from the active exploitation of CVE-2026-46817, a critical unauthenticated remote code execution (RCE) vulnerability. With a CVSS score of 9.8, this flaw allows an attacker with network access to compromise the Oracle Payments component, leading to a potential full takeover of the ERP system. Oracle released a patch in its May 2026 Critical Patch Update (CPU), but exploitation was detected in late June, demonstrating the speed at which attackers can weaponize vulnerabilities post-patch release. Due to the critical nature of data stored in EBS systems, immediate patching is imperative.
CVE-2026-46817 is a vulnerability in the File Transmission component of Oracle Payments, a module within the larger Oracle E-Business Suite. The flaw is described as "easily exploitable," requiring no authentication or user interaction. An attacker can send a specially crafted HTTP request to a vulnerable EBS instance and achieve remote code execution. This gives the attacker a direct path to compromising one of the most sensitive systems within an enterprise, which often manages financial records, human resources data, and supply chain logistics.
12.2.3 through 12.2.14 are affected.The vulnerability is specific to the Oracle Payments module, but a compromise of this component can be leveraged to gain control over the entire EBS application.
This vulnerability is confirmed to be actively exploited. Threat intelligence firm Defused reported observing exploitation attempts against its honeypot network during the weekend of June 27-28, 2026. The attacks appeared to be targeted and originated from a single IP address, focusing on file-read operations. This exploitation began before a public proof-of-concept was available, strongly suggesting that attackers reverse-engineered Oracle's patch to develop their exploit—a practice known as patch-gapping or N-day exploitation.
A successful exploit of CVE-2026-46817 is catastrophic. Attackers can gain complete control over the Oracle EBS application, allowing them to:
Security teams should look for the following indicators in their logs:
url_patternlog_sourceprocess_namesh, bash, powershell.exe).Applying the vendor-supplied patch is the most effective and critical mitigation step.
Restricting network access to the EBS application, ensuring it is not exposed to the public internet, significantly reduces the attack surface.
Oracle releases its May Critical Patch Update, which includes a patch for CVE-2026-46817.
Threat intelligence firm Defused observes active exploitation of CVE-2026-46817 against its honeypots.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.