Shadowserver now tracks over 1,000 Internet-exposed Oracle E-Business Suite instances — more than half of them in the United States — as federal cyber authorities ordered an accelerated fix for a high-risk flaw that researchers say is already being abused.
CVE-2026-46817: the flaw and its immediate danger
The vulnerability, tracked as CVE-2026-46817, was discovered in the File Transmission component of Oracle E-Business Suite's Oracle Payments product. According to the advisory, it "allows unauthenticated threat actors with HTTP network access to take over vulnerable systems in low-complexity attacks." Defused characterized it as "CVSS 9.8 unauth HTTP takeover in Oracle E-Business," and reported observing exploitation against its Oracle E-Business honeypots on June 29.
CISA's directive and the July 18 deadline
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-46817 to its list of known exploited security flaws and ordered federal agencies to patch vulnerable Oracle EBS instances by Saturday, July 18, under Binding Operational Directive (BOD) 26-04. CISA warned that "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," and described the bug as "an improper privilege management vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments."
Oracle's patch, researcher sightings, and exposure counts
Oracle issued a fix in its May 2026 Critical Security Patch Update and urged customers to apply it immediately. The company warned: "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches," and added that it "strongly recommends that customers remain on actively-supported versions and apply security patches without delay."
Despite Oracle not yet flagging CVE-2026-46817 as exploited in the wild, the threat intelligence firm Defused reported active exploitation. Shadowserver's Internet-wide tracking identifies over 1,000 exposed Oracle EBS instances, though the organization does not differentiate in the public data between honeypots and systems already secured against CVE-2026-46817.
CISA's recent history with Oracle flaws and broader exploitation patterns
CISA's rapid directive follows a pattern of recent orders around Oracle software. In October the agency ordered patches for an unauthenticated server-side request forgery vulnerability in Oracle E-Business Suite (CVE-2025-61884) after flagging it as actively exploited. In June it ordered agencies to secure systems against a high-severity Oracle WebLogic Server flaw (CVE-2024-21182) that had been patched two years earlier and was again being exploited. Over the last several years, CISA has flagged 43 security issues across various Oracle products that have been exploited in the wild, 12 of them also abused by ransomware gangs.
What this means for federal agencies, enterprise IT, and security teams
- Federal agencies: must comply with BOD 26-04 and patch vulnerable Oracle EBS instances by the July 18 deadline, or document risk and mitigation in line with the directive's requirements.
- Enterprise IT and Oracle customers: should prioritize installing Oracle's May 2026 Critical Security Patch Update for E-Business Suite, heeding Oracle's advisory that successful attacks have sometimes succeeded where patches were not applied.
- Security teams: need to monitor for indicators of compromise tied to E-Business Suite Payments and consider that shadow- and honeypot-based reporting has already detected active exploitation; CISA's addition of the flaw to its known-exploited list signals a higher-risk posture and expectation of rapid response.
For defenders, the compressed timeline and a large population of Internet-exposed EBS instances create a straightforward operational test: patch quickly and verify. For investigators, the public gap between Shadowserver's exposure count and the unknown number of patched or decoy systems leaves open a concrete question — how many publicly reachable Oracle EBS deployments remain vulnerable today? Agencies and operators have until Saturday, July 18, to narrow that gap.




