Oracle E-Business Suite customers are facing urgent risk from multiple critical vulnerabilities affecting versions 12.2.3 through 12.2.15, including CVE-2026-46817 in the Oracle Payments File Transmission component and CVE-2026-46933 in Oracle Applications Manager. CVE-2026-46817, rated CVSS 9.8, can be exploited by an unauthenticated remote attacker over HTTP via the /OA_HTML/ibytransmit endpoint and may allow takeover of Oracle Payments and broader EBS environments. Oracle addressed the flaw in its May 2026 Critical Security Patch Update, while CVE-2026-46933, rated CVSS 9.9, was fixed in the June 2026 update as part of a broader set of 245 patched vulnerabilities.
Security researchers reported that CVE-2026-46817 is already being exploited in the wild, with honeypots capturing crafted XML payloads attempting to read /etc/passwd, indicating private exploit tooling was in use before any public proof of concept emerged. The exposure is amplified by the number of internet-facing deployments, with Shadowserver identifying more than 450 reachable EBS instances, and government and industry defenders warning organizations to patch immediately and restrict HTTP access to trusted network segments where possible.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
The report says Shadowserver found about 950 Oracle E-Business Suite instances exposed to the internet, with many located in the United States. This significantly increased the known exposure baseline associated with CVE-2026-46817 compared with earlier reporting.
Shadowserver identified more than 450 internet-exposed Oracle E-Business Suite instances, increasing the potential risk from CVE-2026-46817. The exposed systems were noted as especially concerning for enterprise financial environments.
Defused observed active exploitation attempts against Oracle E-Business honeypots on June 27 and 28, 2026, targeting CVE-2026-46817. The activity included crafted XML payloads attempting to read /etc/passwd, indicating private exploit tooling was already in use before any public proof of concept was available.
The German Federal Office for Information Security warned about an Oracle E-Business Suite bug cluster that included CVE-2026-46933. The warning highlighted the severity of the issue, though no active exploitation was reported at that time.
Oracle released a patch for CVE-2026-46933, a critical Oracle Applications Manager vulnerability in Oracle E-Business Suite, in its June 2026 Critical Security Patch Update. The flaw affects versions 12.2.3 through 12.2.15 and can allow full compromise by a low-privileged attacker over HTTP.
The reference states that CVE-2026-46817 was published to the National Vulnerability Database on 2026-05-28. At that time, no CWE classification, proof-of-concept, or confirmed exploitation had been disclosed, according to the report.
Oracle fixed CVE-2026-46824, a critical Oracle E-Business Suite flaw in Oracle Universal Work Queue's Work Provider Site Level Administration component, in its May 2026 Critical Security Patch Update. The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15 and can allow low-privileged attackers to achieve complete application takeover.
Oracle fixed CVE-2026-46817, a critical Oracle E-Business Suite flaw in the File Transmission component of Oracle Payments, in its May 2026 Critical Security Patch Update. The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.15.
The reference states that CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog on 2026-07-15, noting active exploitation. This marks an official U.S. government acknowledgment of in-the-wild exploitation of the Oracle E-Business Suite flaw.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
cyberveille.ch
Open sourcethreataft.com
Open sourcethreataft.com
Open sourceegfincirt-wpn.azurewebsites.net
Open sourcezeropath.com
Open sourcezeropath.com
Open sourcecve.circl.lu
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.