Breaking: Oracle E-Business Suite Under Active Exploitation (CVSS 9.8) — 16 July 2026
Oracle E-Business Suite Under Active Exploitation — CVSS 9.8, 3-Day KEV Deadline
CISA added CVE-2026-46817 to the Known Exploited Vulnerabilities catalog on July 15, confirming active exploitation in the wild. The flaw, an improper privilege management vulnerability in Oracle E-Business Suite's Payments component, carries a CVSS 3.1 score of 9.8 and requires no authentication to exploit.
An unauthenticated attacker with HTTP network access can fully compromise Oracle Payments, gaining control over payment processing operations. The underlying weaknesses span CWE-269 (Improper Privilege Management), CWE-287 (Improper Authentication), and CWE-306 (Missing Authentication for Critical Function), indicating that the affected component fails to enforce authentication or privilege boundaries for sensitive functions at all.
The remediation deadline is July 18, 2026 — just three days from the KEV listing. Oracle published the fix in its May 2026 Critical Patch Update, so patches are available for supported versions (12.2.3 through 12.2.15). Organizations running E-Business Suite, particularly those with internet-facing or broadly accessible instances, should treat this as an emergency.
The short remediation window and the unauthenticated nature of exploitation mean defenders should assume active compromise of any unpatched, exposed Oracle Payments instance. Review application and web server logs for suspicious HTTP activity, unexpected administrative changes, unauthorized modifications to payment configurations, and newly created accounts. If compromise is suspected, do not simply patch. Conduct a full forensic review before and after remediation.
So What / Action
- Inventory all Oracle E-Business Suite deployments immediately. Confirm whether Oracle Payments is enabled and whether instances are internet-facing. - Apply the May 2026 Critical Patch Update to all affected versions (12.2.3 through 12.2.15) before the July 18 KEV deadline. - If patching is not immediately possible, restrict network access to Oracle E-Business Suite services and consider taking affected instances offline until patches are applied. CISA's guidance is explicit: if mitigations are unavailable, discontinue use of the product. - Review logs for indicators of compromise, particularly around payment processing modules, privileged account creation, and configuration changes. - Do not treat this as a routine patching cycle. The combination of CVSS 9.8, unauthenticated exploitation, confirmed wild attacks, and a three-day federal deadline places this in the highest urgency tier.

