BusinessCybersecurityNewswireTechnologyWhat's Buzzing

900+ Oracle E-Business instances under active attack

▼ Summary

– Over 900 Oracle EBS instances are exposed online, with active exploitation of the critical flaw CVE-2026-46817.
– The vulnerability allows unauthenticated attackers to take over systems via low-complexity HTTP attacks on the Oracle Payments File Transmission component.
– Oracle patched the flaw in its May 2026 Critical Patch Update and urged immediate patching.
– Defused reported active exploitation over the weekend, despite no prior known attacks or public proof-of-concept code.
– Shadowserver tracks around 950 exposed Oracle EBS instances, but it’s unknown how many are patched against this flaw.

More than 900 Oracle E-Business Suite (EBS) deployments are currently exposed to the internet as attackers actively exploit a critical unpatched vulnerability. The flaw, designated CVE-2026-46817, resides in the File Transmission component of Oracle Payments. It carries a CVSS score of 9.8, meaning it allows unauthenticated attackers with simple network access to completely compromise a system without requiring any privileges.

Oracle addressed the issue in its May 2026 Critical Security Patch Update and has strongly advised customers to apply the fix without delay. Although the company has not yet officially confirmed active exploitation, threat intelligence firm Defused reported on Monday that real-world attacks have begun. The first attempts were detected over the weekend on their honeypot systems designed to mimic Oracle EBS environments.

“CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited,” Defused stated. “Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists.”

Earlier today, the Shadowserver Foundation, an internet security watchdog, reported tracking approximately 950 Oracle EBS instances accessible online. It remains unclear how many of those systems have already been patched against this specific threat.

This incident follows a pattern of escalating attacks against Oracle products. Last month, CISA added a high-severity Oracle WebLogic Server flaw (CVE-2024-21182) to its catalog of actively exploited vulnerabilities, even though that bug was patched two years ago. Weeks later, Oracle issued a fix for a critical PeopleSoft Suite zero-day (CVE-2026-35273) that the ShinyHunters extortion gang had used to achieve unauthenticated remote code execution between May 27 and June 9. That campaign reportedly stole data from numerous organizations worldwide, including Nottingham University and the National Association of Insurance Commissioners (NAIC).

More recently, Nissan warned that a compromise of its Oracle PeopleSoft instance led to a data breach affecting current and former employees. Since early August 2025, the Clop ransomware gang has been exploiting another Oracle EBS security flaw (CVE-2025-61882) in zero-day attacks against U. S. universities such as Harvard, the University of Pennsylvania, Dartmouth College, and the University of Phoenix, as well as high-profile corporations like Logitech, GlobalLogic, and the Washington Post.

Since November 2021, CISA has added 44 vulnerabilities across various Oracle products to its list of actively exploited flaws, with 13 of those also used by ransomware gangs.

(Source: BleepingComputer)

Topics

critical vulnerability 95% oracle ebs exposure 95% active exploitation 90% extortion attacks 85% oracle security patches 85% peoplesoft zero-day 85% clop exploitation 85% cisa advisories 80% ransomware activity 80% data breach incidents 80%