threat-wire

Critical Oracle E-Business Suite Flaw Is Under Active Attack

Attackers are exploiting a 9.8-rated flaw in Oracle E-Business Suite that hands them control of the Payments module with no login required. Oracle patched it in May, but exposed and unpatched instances are being hit now. Any business running EBS for finance needs to confirm the fix is installed.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-30 · 5 min read

Criminals are breaking into Oracle E-Business Suite servers through a flaw that needs no password and no clicking from a victim. Oracle shipped a fix back in May. The attacks started over the weekend of 27 and 28 June, so anyone who skipped that patch is now a live target rather than a theoretical one.

The flaw in plain terms

The bug is tracked as CVE-2026-46817. It sits in the File Transmission component of Oracle Payments, the part of the suite that moves financial data around. It scores 9.8 out of 10 on the CVSS scale. An attacker with nothing more than HTTP access to the server can take the whole instance over, no credentials needed, in a low-effort attack. There was no public exploit code before the weekend, which means whoever is hitting it worked the bug out for themselves. That usually points to a capable and well-motivated crew rather than opportunists running someone else's script.

Oracle E-Business Suite runs payroll, procurement, and accounting for a lot of mid-sized companies and public bodies. A full takeover of the Payments module puts banking details, supplier records, and the ability to redirect transfers straight into an attacker's hands. This is not a website defacement. It is the financial core of the business.

Are you exposed?

• Check your EBS version. Releases 12.2.3 through 12.2.15 are affected. From the application, look under Help then About, or ask whoever administers the system.
• Confirm the May 2026 Critical Patch Update is installed. That is the release that closes CVE-2026-46817. A January or April patch level does not cover it.
• Find out whether the EBS login or File Transmission endpoint is reachable from the public internet. Shadowserver counted around 450 exposed instances, roughly 200 of them across the United States and Europe. If yours is one of them, treat this as a same-day job.
• If you genuinely cannot patch today, block external access to the EBS web tier at the firewall until you can. An instance that attackers cannot reach is one they cannot take over.

Where this came from

Researchers at the threat intelligence firm Defused caught the first attacks on honeypot servers, which are decoy systems set up to lure intruders and watch what they do. The pattern echoes CVE-2025-61882, a separate EBS flaw the Clop extortion gang exploited as a zero-day from August 2025 against universities and large organisations. Oracle's financial software has become a repeat target, and once one bug proves profitable, the rest of the product gets probed harder.

If you think you were hit

Assume the worst if your instance was both exposed and unpatched. Pull it off the internet, preserve the logs, and look for unfamiliar admin accounts, new scheduled jobs, and changes to payment or bank-account fields. Then apply the patch before you reconnect. Resetting credentials matters less here than working out what the intruder touched, because the access never depended on a stolen password in the first place.

• The Hacker News: Oracle EBS flaw actively exploited
• BleepingComputer: Hackers now exploit critical Oracle EBS flaw
• SonicWall: Oracle E-Business Suite under active exploitation