Top/Articles/Oracle E-Business Suite Can Be Hijacked Without a Password (CVE-2026-46817): Actively Exploited, Patch Now
oracle-ebs-cve-cover-en

Oracle E-Business Suite Can Be Hijacked Without a Password (CVE-2026-46817): Actively Exploited, Patch Now

Oracle E-Business Suite, the core business software running accounting, payments and HR for large enterprises and governments, has an unauthenticated takeover flaw (CVE-2026-46817, severity 9.8) that is already under active attack. About 950 instances are exposed worldwide. It can leak payment and personal data, so apply Oracle's May 2026 fix immediately.

NewsPublished July 8, 2026 Updated today
Table of contents
Key takeaways

Oracle E-Business Suite, the core business software running accounting, payments and HR for large enterprises and governments, has an unauthenticated takeover flaw (CVE-2026-46817, severity 9.8) that is already under active attack. About 950 instances are exposed worldwide. It can leak payment and personal data, so apply Oracle's May 2026 fix immediately.

A vulnerability that lets an attacker take over a server from the outside without logging in has been found in Oracle E-Business Suite (EBS) β€” the core business software that runs accounting, procurement, and HR for large enterprises and government agencies β€” and it is already being used in real attacks. Tracked as CVE-2026-46817, it carries a severity of 9.8 out of 10.

The flaw is in the File Transmission feature of "Oracle Payments," the component that handles corporate payment processing. An attacker needs no special account at all β€” sending web traffic (HTTP) is enough to take control. The monitoring group Shadowserver observes about 950 Oracle EBS instances exposed on the internet, and multiple research groups report ongoing attacks. Oracle shipped a fix in its May 2026 update; organizations exposing EBS to the outside should apply it immediately.

Vulnerability overview

ItemDetail
Tracking IDCVE-2026-46817
Affected softwareOracle E-Business Suite
(Oracle Payments, File Transmission)
Affected versions12.2.3 – 12.2.15
Severity (out of 10)9.8 (near maximum)
Login required?No (anyone)
Worst caseUnauthenticated server takeover
(data theft, tampering, destruction)
ExploitationConfirmed in real attacks
(late June 2026, before public PoC)
FixApply Oracle's May 2026
Critical Patch Update now

"Severity" is the value on CVSS, an international scale that rates how serious a flaw is out of 10. A 9.8 appears when the conditions align: no login, exploitable remotely, and full control.

Who targets this, and what's the damage?

The attackers are operators who scan the internet for exposed core business systems, steal a company's internal data, and demand money. Because Oracle EBS handles the heart of a business β€” accounting, payments, procurement, HR β€” the data it holds is extremely valuable, making it a lucrative target. Since no login is needed, attackers don't even have to impersonate a legitimate user.

What the attacker does is break into the server just by sending web traffic and pull out internal files one after another. In the attacks actually observed, activity aimed at retrieving sensitive files from the target was seen. Once they gain a foothold, they plant additional programs to persist and reach deeper data.

The first to suffer are the companies and agencies running EBS. Payment records, partner data, and employee personal information can leak, leading straight to extortion β€” "pay up or we publish." And ultimately, the ones who suffer are the business partners and ordinary people who entrusted their information to that company. Stealing large volumes of data from a core business system and extorting the victim is the same pattern seen in recent major data-leak incidents.

What Oracle E-Business Suite is

Oracle E-Business Suite is integrated business software (ERP) that runs accounting, purchasing, inventory, manufacturing, HR, and payroll in one place. Large enterprises and government agencies have used it as a management foundation for years, and many organizations in Japan run it too. "Oracle Payments," the component at issue here, handles corporate payment and settlement processing.

Core systems like this are hard to take offline once running, and updates are applied cautiously, so flaws tend to linger unpatched for a long time. Because they hold the center of a company's money and transactions, they are a "big if you get in" target for attackers. Oracle's core products have repeatedly had serious flaws; we have covered the 35 flaws disclosed in Oracle's monthly patch and the emergency flaw in the PeopleSoft HR/payroll system.

Technical details

CVE-2026-46817: abusing the payment component's file transmission without a login

The problem is in the "File Transmission" feature of Oracle Payments. According to the NVD writeup, this feature combines improper privilege management, improper authentication, and missing authentication for a critical function (CWE-269 / 287 / 306), leaving it in a state where an unauthenticated attacker can breach confidentiality, integrity, and availability all at once just by sending web traffic. That means stealing, altering, and destroying data are all possible, and the system can be fully taken over.

No advanced skill is required. Attack complexity is low (AC:L) and no user interaction is needed. That is why the roughly 950 exposed EBS instances are squarely in the path of indiscriminate scanning. The severity is 9.8 out of 10, among the most serious for an Oracle product.

How events unfolded

← Swipe to move

What to do now

The fix is clear: apply the correction Oracle shipped in its May 2026 Critical Patch Update, right now. Because attacks have already started, "at the next maintenance window" may be too late. Check today whether your EBS is in the affected 12.2.3–12.2.15 range and whether the fix is applied.

If you cannot update immediately, keep the EBS admin screen and payment-related functions off the public internet (behind an internal network or VPN) to reduce exposure to indiscriminate scanning. Also review logs for suspicious file access or outbound traffic. You can track actively exploited flaws on the U.S. CISA warning list (KEV dashboard).

βœ“ Confirmed facts

Closing

Oracle E-Business Suite runs the center of a company's money and transactions. Taking it over without a login leads directly to payment records and personal data pouring out all at once. And this time, attacks began before any exploit code went public β€” a fresh reminder that attackers reverse-engineer the patch and move without waiting for public information.

What to do is apply the May fix now and avoid carelessly exposing EBS to the outside. Core business systems get deferred precisely because they're hard to take offline β€” but the harder a system is to stop, the greater the damage when it's taken over. Check the state of your EBS today.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django