Attackers are already inside a flaw that most Oracle customers have not patched. CVE-2026-46817, a critical vulnerability rated 9.8 out of 10 in Oracle E-Business Suite, is under active exploitation in the wild. The bug is an improper privilege management and authentication flaw in the Oracle Payments module that lets an unauthenticated attacker with only HTTP access take over a vulnerable system through a low-complexity attack. It affects EBS versions 12.2.3 through 12.2.15, and Oracle shipped a fix in its May 2026 Critical Patch Update. The alarming part: threat intelligence firm Defused caught the first in-the-wild exploitation on June 27, 2026, roughly six weeks after the patch and before any public proof-of-concept code existed, meaning attackers built or bought a private exploit and went hunting.

  • CVE-2026-46817 (CVSS 9.8) is an unauthenticated takeover flaw in Oracle E-Business Suite's Payments module.
  • First in-the-wild exploitation was observed June 27, 2026, about six weeks after Oracle's May patch and with no public PoC available.
  • Attacks target the /OA_HTML/ibytransmit endpoint with crafted XML payloads attempting to read files like /etc/passwd.
  • Shadowserver tracks over 450 exposed Oracle EBS instances online, nearly 200 in the United States.

What actually happened

Oracle E-Business Suite is a sprawling enterprise resource planning system that large organizations use to run finance, procurement, payments, and more, which makes it exactly the kind of high-value target attackers prize. The vulnerability lives in the File Transmission component of the Oracle Payments product. According to the National Vulnerability Database, the flaw allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments, and a successful attack can result in full takeover of the module. Defused, which runs decoy Oracle EBS systems to catch attacks, captured the first exploitation attempts over the weekend of June 27: six unauthenticated file-read attempts from a single source. The attack sent targeted POST requests to /OA_HTML/ibytransmit, the Oracle iPayment file transmission endpoint, carrying a crafted XML DeliveryRequest payload whose FULL_FILE_PATH parameter pointed at /etc/passwd, the classic signature of a path-traversal file-read exploit designed to pull sensitive system files.

RelatedFortiBleed Exposed Credentials for 86,000 Fortinet Firewalls

Why is exploitation before a public exploit so dangerous?

Because it inverts the timeline defenders usually rely on. Normally a patch drops, then eventually a public proof-of-concept appears, and that public PoC is the starting gun for mass exploitation, giving organizations a window to patch before the exploit is widely available. Here, there is no public PoC, yet attackers are already exploiting the flaw. That means someone reverse-engineered Oracle's patch or otherwise developed a working exploit privately and is using it quietly, without tipping off the wider security community. Targeted, low-volume attacks like the ones Defused observed are often the most dangerous kind, because they suggest a capable actor picking specific victims rather than a noisy spray-and-pray campaign. The absence of a public PoC also means many defenders have not yet seen detection signatures or exploitation reports, so they may not realize the clock has already run out on this one. Patching six weeks after release felt safe. It was not.

The context most coverage skips

This is not an isolated incident; it is the latest in a brutal run of critical Oracle enterprise vulnerabilities, and it fits a broader 2026 pattern where attackers move faster than patch cycles. Late in 2025, another 9.8-rated flaw in the same Oracle Payments product, CVE-2025-61882, was weaponized by threat actors linked to the Cl0p ransomware operation, with attacks reaching back to August 2025. Oracle also patched a missing-authentication zero-day in PeopleSoft, CVE-2026-35273, another 9.8, that the ShinyHunters extortion group was already exploiting, with Nissan later confirmed among the victims. The through-line is that enterprise back-office software has become a favorite target because it holds financial data and sits deep inside corporate networks, and because organizations are slow to patch these complex, business-critical systems for fear of breaking them. Attackers know that hesitation is their opportunity, and they are increasingly exploiting flaws within weeks of a patch, well before defenders finish their careful rollout.

Who this affects

Any organization running Oracle E-Business Suite versions 12.2.3 through 12.2.15 with internet-facing interfaces is directly at risk, and Shadowserver counts more than 450 such instances exposed online, nearly 200 of them in the United States, with more across Europe. Finance and payments teams are the specific concern, since the flaw lives in the payments module and a takeover there threatens sensitive financial data and transaction systems. Security teams face an urgent triage problem, because active exploitation with no public PoC means they cannot wait for the usual signals. And the customers, partners, and employees of breached organizations bear the downstream risk, as an EBS compromise can expose the financial and personal data these systems process. Attribution remains unclear, which only adds to the uncertainty about how broad the campaign will get.

RelatedA Cisco Zero-Day Was Exploited for Two Months Before Anyone Knew

What is next?

The immediate action is unambiguous: apply the May 2026 Critical Patch Update to affected EBS versions now, and restrict public internet access to Oracle EBS interfaces, particularly the /OA_HTML/ path. Organizations should hunt their web server logs for POST requests to /OA_HTML/ibytransmit with unusual XML payloads and check firewall and proxy logs for the attacker infrastructure Defused published. Beyond the immediate fix, watch whether this escalates from targeted attacks into a broader campaign, which is the usual trajectory once a working exploit is in circulation. And expect that if ransomware or extortion groups get hold of the exploit, the pace and scale will jump sharply, exactly as it did with the earlier Oracle flaws.

Our take

The lesson here is uncomfortable but clear: a patch you have not applied is not protection, it is a countdown, and attackers are running the clock faster every year. Six weeks between Oracle's fix and active exploitation, with no public PoC to warn anyone, should end the comfortable assumption that there is always a grace period after a patch drops. Enterprise ERP systems are prime targets precisely because they are hard to patch and full of valuable data, and the string of 9.8-rated Oracle flaws exploited within weeks makes that pattern impossible to ignore. If you run EBS, the honest question is not whether you plan to patch but whether you already have, because the people exploiting this did not wait for a public exploit and they did not wait for you. Patch now, lock down the interfaces, and assume the grace period is gone.

Reporting via The Hacker News, analysis by GenZTech.