"CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists," Defused noted.
CVE-2026-46817: takeovers via Oracle Payments File Transmission
Security researchers have identified CVE-2026-46817 as a critical flaw in the File Transmission component of Oracle E-Business Suite's Oracle Payments product. According to reporting, the vulnerability allows an attacker with only HTTP network access and no privileges to take over vulnerable systems using a low-complexity attack. Oracle released fixes for the flaw as part of its May 2026 Critical Security Patch Update and urged customers to apply the updates immediately.
Active exploitation observed by Defused; Oracle has not yet confirmed active exploitation
Threat intelligence company Defused reported active exploitation of CVE-2026-46817, saying it observed an actor exploiting the weakness against its Oracle E-Business honeypots over the weekend. The company emphasized that the flaw had no previously known exploitation and that no public proof-of-concept code existed at the time of their observation. Oracle, while issuing the May 2026 patch and urging mitigation, has not publicly flagged CVE-2026-46817 itself as being exploited in customer environments.
Exposure: Shadowserver tracks roughly 950 internet-facing EBS instances
Internet security watchdog Shadowserver said it is tracking around 950 Oracle E-Business Suite instances exposed online. The reporting notes there is no publicly available information on how many of those exposed systems have already been patched or otherwise secured against attacks exploiting CVE-2026-46817.
Context: a string of recent Oracle-targeted incidents and CISA activity
The discovery and exploitation of CVE-2026-46817 follows a series of Oracle-related vulnerabilities and incidents cataloged over recent months. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last month tagged a high-severity Oracle WebLogic Server flaw (CVE-2024-21182) patched two years earlier as actively exploited in the wild. Weeks after that, Oracle mitigated a critical PeopleSoft Suite zero-day, CVE-2026-35273, which was exploited by the ShinyHunters extortion gang to achieve unauthenticated remote code execution between May 27 and June 9 and to steal data from many organizations worldwide, including Nottingham University and the National Association of Insurance Commissioners (NAIC). Nissan also warned of a data breach affecting current and former employees after its Oracle PeopleSoft instance was compromised.
Since early August 2025 the Clop extortion gang has been exploiting another Oracle EBS vulnerability (CVE-2025-61882) in zero-day attacks that hit multiple U.S. universities — including Harvard University, the University of Pennsylvania, Dartmouth College, and the University of Phoenix — as well as high-profile commercial victims such as Logitech, GlobalLogic, and the Washington Post. CISA has added 44 vulnerabilities across various Oracle products to its catalog of actively exploited flaws since November 2021, 13 of which were also abused by ransomware gangs.
How technologists, policymakers, and affected enterprises are likely to respond
- Technologists and security teams: Oracle has urged customers to apply the May 2026 Critical Security Patch Update; defenders will be triaging exposed EBS instances, prioritizing patching and monitoring for indicators tied to the Defused honeypot activity.
- Policymakers and regulators: CISA's recent history of flagging Oracle-related flaws as actively exploited and the agency's cataloging of 44 Oracle vulnerabilities since November 2021 suggest continued attention from federal cybersecurity authorities to Oracle product risk and active exploitation patterns.
- Affected enterprises and procurement leaders: Organizations running Oracle E-Business Suite and PeopleSoft will face targeted questions about patch management and exposure after recent incidents — including data thefts attributed to CVE-2026-35273 and public breach notifications such as Nissan's — and will likely re-evaluate exposure of internet-facing EBS instances like those tracked by Shadowserver.
Defused's honeypot detection and Shadowserver's count of roughly 950 exposed instances together create a concrete operational question: how many exposed E-Business Suite systems remain unpatched against CVE-2026-46817? The source reporting notes there is currently no public answer to that question. As organizations apply Oracle's May 2026 fixes, the pace of remediation and the extent of any compromise in the field will determine whether this vulnerability becomes another entry in CISA's catalog of actively exploited Oracle flaws.




