CISA Mandates Urgent Patching for Actively Exploited Oracle E-Business Suite Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a directive for federal agencies to immediately patch a critical vulnerability in **Oracle E-Business Suite (EBS)**. Tracked as **CVE-2026-46817**, this flaw allows unauthenticated attackers to take over vulnerable systems, with reports indicating active exploitation in the wild.
Federal agencies are under a strict deadline from **CISA** to secure their systems against an actively exploited critical vulnerability within **Oracle E-Business Suite (EBS)**. The directive, issued on Wednesday, mandates patching by Saturday, July 18, in accordance with Binding Operational Directive (BOD) 26-04.
### Critical Flaw in Oracle EBS Payments
The vulnerability, identified as **CVE-2026-46817**, resides in the File Transmission component of EBS's **Oracle Payments** product. It enables unauthenticated threat actors with HTTP network access to compromise vulnerable systems through low-complexity attacks.
**Oracle** initially released security updates to address this issue in its May 2026 Critical Security Patch Update, urging customers to apply patches without delay. The company had previously warned that attackers often succeed due to customers failing to apply available patches.
### Exploitation Confirmed In The Wild
While **Oracle** had not officially flagged **CVE-2026-46817** as exploited in the wild, threat intelligence firm **Defused** reported observing active exploitation on its **Oracle E-Business** honeypots as early as June 29. **Defused** noted that this vulnerability had no prior known exploitation and no public Proof-of-Concept (POC) code.
**CISA** has since corroborated these reports, adding **CVE-2026-46817** to its catalog of known exploited vulnerabilities. The agency highlights that these types of flaws are frequent attack vectors and pose significant risks to federal enterprises.
### Widespread Exposure and Persistent Threats
Internet security watchdog **Shadowserver** currently tracks over 1,000 Internet-exposed **Oracle EBS** instances, with more than half located in the United States. It remains unclear how many of these are honeypots or have been successfully secured against ongoing attacks.
.jpg)
*Oracle EBS instances exposed online (Shadowserver)*
This isn't the first time **Oracle EBS** has been targeted. In October, **CISA** ordered government agencies to patch **CVE-2025-61884**, an unauthenticated server-side request forgery (SSRF) vulnerability in **Oracle E-Business Suite**, which was also actively exploited. More recently, in June, a high-severity **Oracle WebLogic Server** flaw (**CVE-2024-21182**) also necessitated urgent patching after being actively exploited.
Over the past few years, **CISA** has identified 43 security issues across various **Oracle** products that have been exploited in the wild, with 12 of these also abused by ransomware gangs. This ongoing pattern underscores the critical importance of timely patching and robust security hygiene for organizations utilizing **Oracle** solutions.