Oracle E-Business Suite Can Be Hijacked Without a Password (CVE-2026-46817): Actively Exploited, Patch Now
Oracle E-Business Suite, the core business software running accounting, payments and HR for large enterprises and governments, has an unauthenticated takeover flaw (CVE-2026-46817, severity 9.8) that is already under active attack. About 950 instances are exposed worldwide. It can leak payment and personal data, so apply Oracle's May 2026 fix immediately.
Table of contents
Oracle E-Business Suite, the core business software running accounting, payments and HR for large enterprises and governments, has an unauthenticated takeover flaw (CVE-2026-46817, severity 9.8) that is already under active attack. About 950 instances are exposed worldwide. It can leak payment and personal data, so apply Oracle's May 2026 fix immediately.
A vulnerability that lets an attacker take over a server from the outside without logging in has been found in Oracle E-Business Suite (EBS) β the core business software that runs accounting, procurement, and HR for large enterprises and government agencies β and it is already being used in real attacks. Tracked as CVE-2026-46817, it carries a severity of 9.8 out of 10.
The flaw is in the File Transmission feature of "Oracle Payments," the component that handles corporate payment processing. An attacker needs no special account at all β sending web traffic (HTTP) is enough to take control. The monitoring group Shadowserver observes about 950 Oracle EBS instances exposed on the internet, and multiple research groups report ongoing attacks. Oracle shipped a fix in its May 2026 update; organizations exposing EBS to the outside should apply it immediately.
Vulnerability overview
| Item | Detail |
|---|---|
| Tracking ID | CVE-2026-46817 |
| Affected software | Oracle E-Business Suite (Oracle Payments, File Transmission) |
| Affected versions | 12.2.3 β 12.2.15 |
| Severity (out of 10) | 9.8 (near maximum) |
| Login required? | No (anyone) |
| Worst case | Unauthenticated server takeover (data theft, tampering, destruction) |
| Exploitation | Confirmed in real attacks (late June 2026, before public PoC) |
| Fix | Apply Oracle's May 2026 Critical Patch Update now |
"Severity" is the value on CVSS, an international scale that rates how serious a flaw is out of 10. A 9.8 appears when the conditions align: no login, exploitable remotely, and full control.
Who targets this, and what's the damage?
The attackers are operators who scan the internet for exposed core business systems, steal a company's internal data, and demand money. Because Oracle EBS handles the heart of a business β accounting, payments, procurement, HR β the data it holds is extremely valuable, making it a lucrative target. Since no login is needed, attackers don't even have to impersonate a legitimate user.
What the attacker does is break into the server just by sending web traffic and pull out internal files one after another. In the attacks actually observed, activity aimed at retrieving sensitive files from the target was seen. Once they gain a foothold, they plant additional programs to persist and reach deeper data.
The first to suffer are the companies and agencies running EBS. Payment records, partner data, and employee personal information can leak, leading straight to extortion β "pay up or we publish." And ultimately, the ones who suffer are the business partners and ordinary people who entrusted their information to that company. Stealing large volumes of data from a core business system and extorting the victim is the same pattern seen in recent major data-leak incidents.
What Oracle E-Business Suite is
Oracle E-Business Suite is integrated business software (ERP) that runs accounting, purchasing, inventory, manufacturing, HR, and payroll in one place. Large enterprises and government agencies have used it as a management foundation for years, and many organizations in Japan run it too. "Oracle Payments," the component at issue here, handles corporate payment and settlement processing.
Core systems like this are hard to take offline once running, and updates are applied cautiously, so flaws tend to linger unpatched for a long time. Because they hold the center of a company's money and transactions, they are a "big if you get in" target for attackers. Oracle's core products have repeatedly had serious flaws; we have covered the 35 flaws disclosed in Oracle's monthly patch and the emergency flaw in the PeopleSoft HR/payroll system.
Technical details
CVE-2026-46817: abusing the payment component's file transmission without a login
The problem is in the "File Transmission" feature of Oracle Payments. According to the NVD writeup, this feature combines improper privilege management, improper authentication, and missing authentication for a critical function (CWE-269 / 287 / 306), leaving it in a state where an unauthenticated attacker can breach confidentiality, integrity, and availability all at once just by sending web traffic. That means stealing, altering, and destroying data are all possible, and the system can be fully taken over.
No advanced skill is required. Attack complexity is low (AC:L) and no user interaction is needed. That is why the roughly 950 exposed EBS instances are squarely in the path of indiscriminate scanning. The severity is 9.8 out of 10, among the most serious for an Oracle product.
How events unfolded
β Swipe to move
What to do now
The fix is clear: apply the correction Oracle shipped in its May 2026 Critical Patch Update, right now. Because attacks have already started, "at the next maintenance window" may be too late. Check today whether your EBS is in the affected 12.2.3β12.2.15 range and whether the fix is applied.
If you cannot update immediately, keep the EBS admin screen and payment-related functions off the public internet (behind an internal network or VPN) to reduce exposure to indiscriminate scanning. Also review logs for suspicious file access or outbound traffic. You can track actively exploited flaws on the U.S. CISA warning list (KEV dashboard).
β Confirmed facts
- βAn unauthenticated takeover flaw in Oracle Payments (Oracle EBS), severity 9.8 (CVE-2026-46817)
- βAffects 12.2.3β12.2.15; fixed in Oracle's May 2026 update (Help Net Security)
- βReal exploitation confirmed in late June 2026, before public PoC (BleepingComputer)
- βAbout 950 EBS instances exposed online, with ongoing attacks observed (Shadowserver / Security Affairs)
Closing
Oracle E-Business Suite runs the center of a company's money and transactions. Taking it over without a login leads directly to payment records and personal data pouring out all at once. And this time, attacks began before any exploit code went public β a fresh reminder that attackers reverse-engineer the patch and move without waiting for public information.
What to do is apply the May fix now and avoid carelessly exposing EBS to the outside. Core business systems get deferred precisely because they're hard to take offline β but the harder a system is to stop, the greater the damage when it's taken over. Check the state of your EBS today.
References
- βΈNVD - CVE-2026-46817 Detail
- βΈBleepingComputer - Hackers now exploit critical Oracle E-Business flaw in attacks
- βΈThe Hacker News - Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited
- βΈHelp Net Security - Oracle E-Business Suite Payments flaw under attack
- βΈSecurity Affairs - Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed
- βΈOracle - Security Alerts / Critical Patch Update

Makoto Horikawa
Backend Engineer / AWS / Django