"CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists," Defused warned.
Defused: live exploitation seen against CVE-2026-46817
Threat intelligence company Defused reported that attackers have begun exploiting a critical vulnerability tracked as CVE-2026-46817 in Oracle E-Business Suite (EBS). Defused said the first attempts were observed over the weekend against its Oracle E-Business honeypots and described the exploitation as active. Oracle has not, to date, flagged the flaw as exploited in the wild.
How the flaw works: File Transmission in Oracle Payments
The vulnerability sits in the File Transmission component of EBS's Oracle Payments product. According to the advisory, it "enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks." The flaw carries a CVSS score of 9.8 in the Defused characterization cited in the reporting.
Oracle's patch and advice
Oracle released security updates to address the vulnerability in its May 2026 Critical Security Patch Update and urged customers to apply the fixes immediately. Oracle warned: "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches." The company added that "in some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay."
Exposure and the recent pattern of Oracle-targeted attacks
Internet security watchdog Shadowserver now tracks over 450 Oracle EBS instances exposed online, with nearly 200 located in the United States and in Europe. The reporting notes there is no available information on how many of those exposed systems have been secured against the ongoing attacks. The current activity follows a string of serious incidents involving Oracle products: the Clop extortion gang exploited an Oracle EBS flaw (CVE-2025-61882) in zero-day attacks since early August 2025 against multiple U.S. universities (including Harvard University, the University of Pennsylvania, Dartmouth College, and the University of Phoenix), as well as The Washington Post, Logitech, and GlobalLogic. U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerts have also flagged other Oracle product vulnerabilities — including a high-severity WebLogic Server flaw (CVE-2024-21182) patched two years earlier — as being actively exploited, and CISA later described mitigation of a PeopleSoft Suite zero-day (CVE-2026-35273) that was abused in ShinyHunter data theft attacks.
What this means for security teams, affected enterprises, and regulators
- Security teams and technologists: rapid validation and patch deployment on Oracle EBS instances will be the immediate task; the observed low-complexity, unauthenticated HTTP attack vector raises the bar for rapid containment.
- Affected enterprises and procurement leaders: organizations with internet-exposed Oracle EBS instances — Shadowserver counts 450+ — must reconcile inventory and patch status quickly to determine exposure and prioritization.
- Regulators and incident responders (CISA and similar bodies): the pattern of previously exploited Oracle flaws and the current claims of live exploitation by Defused means monitoring and public advisories will remain active, and coordination on disclosure and mitigation remains a practical necessity.
The facts in hand are stark but specific: a high-severity EBS flaw that Oracle patched in May 2026 is reported by Defused to be under active exploitation, and more than 450 EBS instances remain exposed online. Oracle's advisory that patches are available sits beside a real-world question left open by the current reporting — how many of those 450-plus publicly visible instances have already applied the May 2026 fixes? That number will determine whether observed attacks remain probing and opportunistic or become the first wave of a broader compromise campaign.
